+ 1

If I pass the variable bound to input into eval, with try block restrictions on the input first, is the code safe?

while True: listcomp_str = input() try: if blah not in listcomp_str and yada or bada: listcomp = eval("{0}".format(listcomp_str)) break else: raise SomeError except SomeError: print("Some Error: ... Please try again.") The indentation might be off. Just a simple representation. Is this how we get rid of eval() danger when there's no direct access to the code? Thank you.

3rd Aug 2022, 1:27 PM
Korkunç el Gato
Korkunç el Gato - avatar
6 Answers
+ 2
One answer how to make it safe here. http://lybniz2.sourceforge.net/safeeval.html
11th Aug 2022, 11:53 PM
Chris Coder
Chris Coder - avatar
+ 5
Korkunç el Gato , not sure what you wanted to achieve. can you give a task description what the input could be and what you expect to get as output. The code shown somewhat distracts from the actual task.
3rd Aug 2022, 1:40 PM
Lothar
Lothar - avatar
+ 2
Lothar I'm trying to learn to use eval without the risks. Say I get a string in the form of an array as input, and I want to use it in eval, but I want to make sure that I put restrictions on input first, before I use eval on it. I mean I do have a code , and I do have the same question there, but I'm asking about the infamous eval, exec etc ilk here: https://code.sololearn.com/cErVOtfD4qeh/?ref=app (Edited the wording to suit the code here.)
3rd Aug 2022, 1:45 PM
Korkunç el Gato
Korkunç el Gato - avatar
+ 2
Lothar Could you at least give feedback why I haven't been able to get answers? All I tried to show with the title question code was an example of using eval with the input variable as argument, after the input's tested for certain characters. No underscore, no keyword, etc. As long as user input is restricted to disallow executable stuff, is it still as bad to use eval as they say? People have given various answers to this. It's the responses along the lines of "Been a programmer for 15 years, there's no code I have been unable to write without resorting to eval()" that makes me ask this question. Some avoid it like the plague. --------- Can somebody please help me? Just because I have the habit of looking up the internet doesn't mean I can assess the different opinions of expert coders as to their relevance.
4th Aug 2022, 5:47 AM
Korkunç el Gato
Korkunç el Gato - avatar
+ 1
This place is going to be my Eval Journal. I wasn't even going to put a code into this. I had a code that raised the question but the question didn't need a code. I just created a representative case to get past the q&a standard. Because it's not an opinion question but it was going to be treated as such. On SoloLearn discussion, there are lots of eval questions. Nearly half are Javascript(edit: not Java). Then nearly half of those that are Python are about rhe syntax of eval and how to use it. The rest is about safety, asks to use it or not. Python gets updated and eval's remained. Apparently it's meant to be used. So apparently there are measures one can take when using it. A search on the internet leads one to replies on q&a sites talking about "sanitizing the input". So how to sanitize the input? Now I don't know if that’s a very CS term or choice of expression. Yesterday I didn't have time to look for "input sanitizing". Today I do.
5th Aug 2022, 9:59 AM
Korkunç el Gato
Korkunç el Gato - avatar
0
Again there's not one answer on how to "safely" use eval(). Once I gather enough info, I'll delete my posts(own replies) and put that info here. Then I will rephrase the question to "how to use eval() safely" and because "to show my attempt" has proved unimportant for this case, I will delete that also, and just post links or paraphrase others' codes if I can.
5th Aug 2022, 10:04 AM
Korkunç el Gato
Korkunç el Gato - avatar