Re: Using the eval() command

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU/2bjAAoJEC0ft5FqUuEhDSoP/3dNqUY03LoMAROpKYVZus4d
R3yLBc9ZV0hZ+CzGdStl2iYbb0eVS3SIzCeyQHs3Ip7WfoCRrSfSmehZiMwxrfs5
YBX9c3dL/4dtwCUKtiLdRix+XxmuiMg5wiubrKpTZT6buLJoTb54orZxtPHtrgWp
dh5/Z3wlhojl2Z11L5HV1ck2OcEZkHCw+PMBqBj4gttLL7/IaIpjyx681gOKzRpW
hRSlNYsfpa23a7s1pylCCgJri1QfH9uocdPs5s+cYtgyBeRxNCw1t15TY9Uu1S2l
aLessSewHXNA0daw3Q71wWnNWISliGGIrHv8DyQIn2c2HQGJ+4uOjQnQFgmilsJc
HsgC9Umd/V7QywX05xMx8jyuQO+xwyCrSWbVuT6FwgUjg/nRVjlauMssHDQT18HR
vh3pmEKB/hgVLQXGI1K2MzTktpTgVcvgUx9EW6pMIkSy1FCo8jrQyJpvma7nVl6e
IRMGANaquL1aZLHADeVqRJIX4rCfpLGSj3OC/BWBxe/Vw0vJywBbLysZh9Oyja2e
vTmB12eWwEF+3LweEDbHPyjj9UXnsthSZD3yxNeX67fXq3BsKsiwzPdHtTesFZ0M
InIwujEnEPAw80zMQFCV61qi5nETH6Zc3VXsTFKnQ9Dx8PAXdLB7gkd3nxOlXGHW
tolBIDcWn1037csp0R7g
=p3AY
-----END PGP SIGNATURE-----
Hi Henry,

On 03/10/2015 03:25 PM, Henry Versemann wrote:
> I have a new dictionary that I want to build, using data from another
> dictionary. I have a view which is receiving a single key/value pair
> from the original dictionary. Then in the view I've defined the new
> dictionary like this:
>
> innerDict = {}
>
> Now I want to make this as dynamic as possible so I'm trying to use the
> "eval()" statement below to add the new key/value pair to the new
> dictionary, which is declared above. Will the following code work to
> actually add the new key/value pair to the new dictionary?
>
> innrDictCmnd = "innerDict['"+newinnrkey+"'] = newinnrval"
> eval(innrDictCmnd)
>
> If not why not, and in lieu of the statements above not working, then
> how would I do it?

It doesn't work, because eval() only accepts expressions; assignment is
a statement. Using exec() instead of eval() will work (though the way
you have it written, it will always assign the string "newinnrval" --
perhaps you meant to end innrDictCmnd with '... = ' + newinnrval).

But regardless, you should not use either eval() or exec().

Since you say this code is in a view, I assume that newinnrkey comes
from request data (user input). Imagine what happens if I am a malicious
user and I call this view with newinnrkey set to:

'] = 0; import os; os.rm('/'); d = {}; d['

Oops.

Both exec() and eval() should be avoided. They are very rarely
necessary, they usually make code less readable and maintainable, and if
you ever accidentally pass user input to them, you've opened up a
security hole in your application that someone could drive a truck through.

For your case, what's wrong with just writing `innerDict[newinnerkey] =
newinnerval`? It's every bit as dynamic as the version using eval or
exec - the eval/exec gains you nothing.

Carl


--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/54FF66E3.5050408%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.