Using the eval() command
30 views
Skip to first unread message
Henry Versemann
Mar 10, 2015, 9:25:37 PM3/10/15
to django...@googlegroups.com
I have a new dictionary that I want to build, using data from another dictionary. I have a view which is receiving a single key/value pair from the original dictionary. Then in the view I've defined the new dictionary like this:
innerDict = {}
Now I want to make this as dynamic as possible so I'm trying to use the "eval()" statement below to add the new key/value pair to the new dictionary, which is declared above. Will the following code work to actually add the new key/value pair to the new dictionary?
innrDictCmnd = "innerDict['"+newinnrkey+"'] = newinnrval"
eval(innrDictCmnd)
eval(innrDictCmnd)
If not why not, and in lieu of the statements above not working, then how would I do it?
Thanks for the help.
Henry
Bill Freeman
Mar 10, 2015, 9:34:34 PM3/10/15
to django-users
eval() operates on an expression, not a statement. Assignment makes it a statement.
Why wouldn't you just say:--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/e6c61ca1-efba-4965-a5ec-f10b55927b15%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Carl Meyer
Mar 10, 2015, 9:49:48 PM3/10/15
to django...@googlegroups.com
Hi Henry,
It doesn't work, because eval() only accepts expressions; assignment is
a statement. Using exec() instead of eval() will work (though the way
you have it written, it will always assign the string "newinnrval" --
perhaps you meant to end innrDictCmnd with '... = ' + newinnrval).
But regardless, you should not use either eval() or exec().
Since you say this code is in a view, I assume that newinnrkey comes
from request data (user input). Imagine what happens if I am a malicious
user and I call this view with newinnrkey set to:
'] = 0; import os; os.rm('/'); d = {}; d['
Oops.
Both exec() and eval() should be avoided. They are very rarely
necessary, they usually make code less readable and maintainable, and if
you ever accidentally pass user input to them, you've opened up a
security hole in your application that someone could drive a truck through.
For your case, what's wrong with just writing `innerDict[newinnerkey] =
newinnerval`? It's every bit as dynamic as the version using eval or
exec - the eval/exec gains you nothing.
Carl
a statement. Using exec() instead of eval() will work (though the way
you have it written, it will always assign the string "newinnrval" --
perhaps you meant to end innrDictCmnd with '... = ' + newinnrval).
But regardless, you should not use either eval() or exec().
Since you say this code is in a view, I assume that newinnrkey comes
from request data (user input). Imagine what happens if I am a malicious
user and I call this view with newinnrkey set to:
'] = 0; import os; os.rm('/'); d = {}; d['
Oops.
Both exec() and eval() should be avoided. They are very rarely
necessary, they usually make code less readable and maintainable, and if
you ever accidentally pass user input to them, you've opened up a
security hole in your application that someone could drive a truck through.
For your case, what's wrong with just writing `innerDict[newinnerkey] =
newinnerval`? It's every bit as dynamic as the version using eval or
exec - the eval/exec gains you nothing.
Carl
Henry Versemann
Mar 11, 2015, 1:24:58 AM3/11/15
to django...@googlegroups.com
so its valid python code to write the expression
innerDict['+newinnrkey+']
without enclosing the parts outside of the plus-signs surrounding the "newinnrkey" variable within quotes or double quotes?
I'm not sure I've ever heard or seen such python code before anywhere.
Can you explain or point me to some docs on this type of code expression?
And are there any gotchas or problems coding expressions like this?
Thanks for the help.
Henry
Henry Versemann
Mar 11, 2015, 1:37:24 AM3/11/15
to django...@googlegroups.com
So how does an expression like you suggested above ( innerDict['+newinnrkey+'] = newinnrval ) work then?
It seems like it wouldn't work without enclosing the expression with quotes or double-quotes, and even then it seems like it would only become some kind of string instead of a statement which would be automatically executed to produce a result. Please explain or point me to some documentation explaining this type of code or coding.
Thanks.
Henry
Tom Evans
Mar 11, 2015, 9:55:05 AM3/11/15
to django...@googlegroups.com
On Wed, Mar 11, 2015 at 1:24 AM, Henry Versemann <fence...@gmail.com> wrote:
> so its valid python code to write the expression
>
> innerDict['+newinnrkey+']
>
> without enclosing the parts outside of the plus-signs surrounding the
> "newinnrkey" variable within quotes or double quotes?
> I'm not sure I've ever heard or seen such python code before anywhere.
> Can you explain or point me to some docs on this type of code expression?
> And are there any gotchas or problems coding expressions like this?
> Thanks for the help.
>
No, it isn't valid, Bill mis-typed his reply. I don't want to speak
> so its valid python code to write the expression
>
> innerDict['+newinnrkey+']
>
> without enclosing the parts outside of the plus-signs surrounding the
> "newinnrkey" variable within quotes or double quotes?
> I'm not sure I've ever heard or seen such python code before anywhere.
> Can you explain or point me to some docs on this type of code expression?
> And are there any gotchas or problems coding expressions like this?
> Thanks for the help.
>
for him, but I think he meant to write:
> Why wouldn't you just say:
>
> innerDict[newinnrkey] = newinnrval
> Why wouldn't you just say:
>
and, indeed, why wouldn't you?
Cheers
Tom
Carl Meyer
Mar 11, 2015, 4:05:38 PM3/11/15
to django...@googlegroups.com
Hi Henry,
On 03/10/2015 07:37 PM, Henry Versemann wrote:
> So how does an expression like you suggested above (
> innerDict['+newinnrkey+'] = newinnrval ) work then?
> It seems like it wouldn't work without enclosing the expression
> with quotes or double-quotes, and even then it seems like it would only
> become some kind of string instead of a statement which would be
> automatically executed to produce a result. Please explain or point me
> to some documentation explaining this type of code or coding.
> Thanks.
I didn't suggest that line of code, Bill did. As Tom said, it was
probably a typo. The line of code I suggested, which is what you should
use, is simply:
innerDict[newinnrkey] = newinnrval
Carl
On 03/10/2015 07:37 PM, Henry Versemann wrote:
> So how does an expression like you suggested above (
> innerDict['+newinnrkey+'] = newinnrval ) work then?
> It seems like it wouldn't work without enclosing the expression
> with quotes or double-quotes, and even then it seems like it would only
> become some kind of string instead of a statement which would be
> automatically executed to produce a result. Please explain or point me
> to some documentation explaining this type of code or coding.
> Thanks.
probably a typo. The line of code I suggested, which is what you should
use, is simply:
innerDict[newinnrkey] = newinnrval
Carl
Henry Versemann
Mar 11, 2015, 4:23:39 PM3/11/15
to django...@googlegroups.com
Carl,
Thanks for the advice and information. I'm certainly going to try it.
Thanks again for the help.
Henry
Reply all
Reply to author
Forward
0 new messages