Re: eval without warnings

On Tue, 27 Sep 2005, Bryan R Harris wrote:

> I'd like to evaluate user input only where it makes sense, e.g.
>
> "2*(3+2)" ==> 10
> "2*dog" ==> "2*dog"
> "mysquarefunction(2)" ==> 4
> "3*mysquarefunction(2)" ==> 12
> "some guy" ==> "some guy"

What happens when they put something in like

"system('rm -rf /')"

?

Blindly running input from users is a bad, bad, bad, bad idea.

Figure out what kind of input you need from them, specify it as narrowly
as you can manage, and then validate that it does match that spec.



--
Chris Devers

j<Ú÷õ?ï·?¿