 |  |  |  |  |  |  |  |
Safety of eval function
Please support our Python advertiser: Programming Forums - DaniWeb Sister Site
Thread Solved |
•
•
Join Date: Aug 2005
Posts: 1,546
Reputation: 
Solved Threads: 174
I keep hearing that the eval() function is unsafe. It is a nice function, because you can use it like
print eval("2.5*49.7/(23+3.14)")
and it will solve the math.
Is there any way to protect against some nasty minded person to enter a "os.system(command)" where the command will erase a file or all files?
print eval("2.5*49.7/(23+3.14)")
and it will solve the math.
Is there any way to protect against some nasty minded person to enter a "os.system(command)" where the command will erase a file or all files?
drink her pretty
•
•
Join Date: Oct 2004
Posts: 4,113
Reputation:
Solved Threads: 944
Several languages offer the eval() function and its safety is hotly debated. You hear eval() is only one letter away from evil()!
My feelings, if eval() is directly connected to a user input, avoid it!!! This is particularly true for Python's input() function that uses raw_input() and then sends the string to eval() to extract the number. In this case you can't even intercept the input, so if a nasty person enters (don't even try this!!!) "__import__('os').system('del *.*')" you just wiped out all the files on your drive!
If you use raw_input(), then you could check the input string for 'os' or 'system' before sending it to the eval() function. A safe use of eval() would be in a GUI calculator, where the input is limited by the buttons you have supplied.
My feelings, if eval() is directly connected to a user input, avoid it!!! This is particularly true for Python's input() function that uses raw_input() and then sends the string to eval() to extract the number. In this case you can't even intercept the input, so if a nasty person enters (don't even try this!!!) "__import__('os').system('del *.*')" you just wiped out all the files on your drive!
If you use raw_input(), then you could check the input string for 'os' or 'system' before sending it to the eval() function. A safe use of eval() would be in a GUI calculator, where the input is limited by the buttons you have supplied.
May 'the Google' be with you!
 |
Similar Threads
- Using "variable variables" in Javascript (JavaScript / DHTML / AJAX)
- calling Python function from C/C++ (Python)
- determining frequency of words in text file (Python)
- passing data from one function to another in C (C)
Other Threads in the Python Forum
- Previous Thread: Sorting in Python
- Next Thread: Pythonpath
| Thread Tools | Search this Thread |
Latest Python Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for Python
advanced aliased beginner bits calling casino code command convert count csv cturtle cursor def dictionary digital dynamic dynamically event examples excel external file float format frange ftp function google gui hints homework i/o iframe import info input jaunty java lapse line linux list lists loop mouse multiple newb number numbers obexftp output panel parsing path port prime program programming projects py py-mailer py2exe pygame pygtk pyqt python random recursion recursive return scrolledtext signal skinning ssh stderr string strings strip subprocess table terminal text thread threading time tkinter tlapse tuple tutorial ubuntu unicode urllib urllib2 variable voip web-scrape whileloop windows wxpython
