The refinement and misuse of Python:eval

The eval () function is powerful, as the official demo interprets the string str as a valid expression to evaluate and return the result of the calculation.

So, combining math as a calculator is very useful.

Other methods of use can convert list,tuple,dict and string to each other. See the following example:

A = "[[up], [3,4], [5,6], [7,8], [9,0]]" B = eval (a) bout[3]: [[1, 2], [3, 4], [5, 6], [7, 8], [9, 0]]type (b) out[4]: lista = "{1: ' A ', 2: ' B '}" B = eval (a) bout[7]: {1: ' A ', 2: ' B '}type (b) out[8]: dicta = "([up], [3,4], [5,6], [7,8], (9,0))" B = Ev Al (a) bout[11]: ([1, 2], [3, 4], [5, 6], [7, 8], (9, 0))

Not very powerful!

but!

Powerful functions are at the cost. Security is one of its biggest drawbacks.

Think about the use of the environment: users need to enter an expression. and evaluated.

Assume that the user entered maliciously. Like what:

__import__ (' OS '). System (' dir ')

After eval (), you will find that the current folder file is now in front of the user.

Then continue typing:

Open (' File name '). Read ()

The code is given to people.

Gets the completion, a delete command. The file disappears.

Let's cry!

How to avoid security problems?

1, self-written check function;

2. Use Ast.literal_eval: View document by yourself

3, many other good text: Restricted "safe" eval (Python recipe)

This article by @the_third_wave (blog address: http://blog.csdn.net/zhanh1218) original.

There are not covered, will be updated periodically, there are errors please correct me.

If you see this blog post as incomplete, that's why I first announced half of the crawler to prevent it. Please see the original author blog.

Let's say this blog post is helpful to you for a good network environment. not recommended reprint, recommended collection. Suppose you must reprint. Please bring the suffix and the address of this document.

The refinement and misuse of Python:eval