Comments on: What I learned about Python Today – eval() http://www.protocolostomy.com/2008/03/11/what-i-learned-about-python-today-eval/ Made with only the finest 1's and 0's Thu, 26 Jan 2012 21:20:45 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: nis http://www.protocolostomy.com/2008/03/11/what-i-learned-about-python-today-eval/comment-page-1/#comment-185 nis Thu, 20 Mar 2008 17:37:47 +0000 http://www.protocolostomy.com/2008/03/11/what-i-learned-about-python-today-eval/#comment-185 I am interested to know what the speed difference is using your 250MB file between eval and getattr for the simple cases that work with either. Just curious. I am interested to know what the speed difference is using your 250MB file between eval and getattr for the simple cases that work with either. Just curious.

]]> By: Kumar McMillan http://www.protocolostomy.com/2008/03/11/what-i-learned-about-python-today-eval/comment-page-1/#comment-191 Kumar McMillan Tue, 11 Mar 2008 18:49:06 +0000 http://www.protocolostomy.com/2008/03/11/what-i-learned-about-python-today-eval/#comment-191 # comment form swallowed my regex, replace _gt_ and _lt_ with the symbols: expr = re.compile(r'\s*(=|_gt_|_lt_)\s*') # comment form swallowed my regex, replace _gt_ and _lt_ with the symbols:
expr = re.compile(r’\s*(=|_gt_|_lt_)\s*’)

]]> By: Kumar McMillan http://www.protocolostomy.com/2008/03/11/what-i-learned-about-python-today-eval/comment-page-1/#comment-190 Kumar McMillan Tue, 11 Mar 2008 18:45:20 +0000 http://www.protocolostomy.com/2008/03/11/what-i-learned-about-python-today-eval/#comment-190 90% of the time when I see people using eval(), I see a better way to go instead. Here's why: 1. eval is unsafe. no matter how hard you try, you will most likely leave some gaping security hole somewhere. Especially if you are parsing a web log! Try grepping for "woot" in your log. This is the first entry I see in my log: GET /path/to/mysite/woots.txt HTTP/1.1" 404 366 "-" "Java/1.6.0_01 the Internet is a crazy place. 2. eval makes for unreadable code. If I were to see this written in someone else's code: eval(rule.attr, line.__dict__) I would have to stop and figure out what the hell is going on. What are all possible values of rule.attr? even if those are in comments of the docstring I am going to be annoyed that I had to read lengthy documentation where some more readable code would suffice. How about this instead? >>> import cgi >>> import re >>> expr = re.compile(r'\s*(=|>|>> input_expr = expr.split('ip=192.168.1.2') >>> input_expr ['ip', '=', '192.168.1.2'] >>> attr, op, val = input_expr >>> line_parsed = cgi.parse_qs('ip=192.168.1.2&ip=192.168.1.240') >>> line_parsed {'ip': ['192.168.1.2', '192.168.1.240']} >>> line_matched = False >>> for parsed_val in line_parsed.get(attr, []): ... if op == '=': ... if parsed_val == val: ... line_matched = True ... break ... elif op == '>': ... if parsed_val > val: ... line_matched = True ... break ... elif op == '<': ... if parsed_val >> line_matched True >>> much more readable, IMHO, and tailored better to what you are trying to do (that is, given this description of what you're trying to do:)) 90% of the time when I see people using eval(), I see a better way to go instead. Here’s why:

1. eval is unsafe. no matter how hard you try, you will most likely leave some gaping security hole somewhere. Especially if you are parsing a web log! Try grepping for “woot” in your log. This is the first entry I see in my log:

GET /path/to/mysite/woots.txt HTTP/1.1″ 404 366 “-” “Java/1.6.0_01

the Internet is a crazy place.

2. eval makes for unreadable code. If I were to see this written in someone else’s code: eval(rule.attr, line.__dict__) I would have to stop and figure out what the hell is going on. What are all possible values of rule.attr? even if those are in comments of the docstring I am going to be annoyed that I had to read lengthy documentation where some more readable code would suffice.

How about this instead?

>>> import cgi
>>> import re
>>> expr = re.compile(r’\s*(=|>|>> input_expr = expr.split(‘ip=192.168.1.2′)
>>> input_expr
['ip', '=', '192.168.1.2']
>>> attr, op, val = input_expr
>>> line_parsed = cgi.parse_qs(‘ip=192.168.1.2&ip=192.168.1.240′)
>>> line_parsed
{‘ip’: ['192.168.1.2', '192.168.1.240']}
>>> line_matched = False
>>> for parsed_val in line_parsed.get(attr, []):
… if op == ‘=’:
… if parsed_val == val:
… line_matched = True
… break
… elif op == ‘>’:
… if parsed_val > val:
… line_matched = True
… break
… elif op == ‘<’:
… if parsed_val >> line_matched
True
>>>

much more readable, IMHO, and tailored better to what you are trying to do (that is, given this description of what you’re trying to do:))

]]> By: m0j0 http://www.protocolostomy.com/2008/03/11/what-i-learned-about-python-today-eval/comment-page-1/#comment-189 m0j0 Tue, 11 Mar 2008 17:36:08 +0000 http://www.protocolostomy.com/2008/03/11/what-i-learned-about-python-today-eval/#comment-189 I understand the religion of not using things like eval(), but please at least read the documentation about how that function works, and take the time to test your hypotheses before you dismiss out of hand my use of it. In addition, it's not like I'm extolling the virtues of eval as a general safety net. It works in this instance, and I'm not opposed to entertaining other ideas about what would work. However, I'm not going to rewrite this code just because eval *can* be bad *IF USED INAPPROPRIATELY*. I'll remind everyone that just because something has the potential to be used unwisely does not make any use of that thing unwise. You can apply that to a great many things, technical or otherwise. Like a chainsaw, for example. I can't profess to have read the code that implements eval(). I can't profess to know that it can't be broken as I've used it. However, I'm *confident* that it's safe the way I've used it, and furthermore, the context of this application is that it is run by a user against *their own logs*, so we should also consider (in *addition* to the rest) what the cost of failure is in this case. I understand the religion of not using things like eval(), but please at least read the documentation about how that function works, and take the time to test your hypotheses before you dismiss out of hand my use of it.

In addition, it’s not like I’m extolling the virtues of eval as a general safety net. It works in this instance, and I’m not opposed to entertaining other ideas about what would work. However, I’m not going to rewrite this code just because eval *can* be bad *IF USED INAPPROPRIATELY*. I’ll remind everyone that just because something has the potential to be used unwisely does not make any use of that thing unwise. You can apply that to a great many things, technical or otherwise. Like a chainsaw, for example.

I can’t profess to have read the code that implements eval(). I can’t profess to know that it can’t be broken as I’ve used it. However, I’m *confident* that it’s safe the way I’ve used it, and furthermore, the context of this application is that it is run by a user against *their own logs*, so we should also consider (in *addition* to the rest) what the cost of failure is in this case.

]]> By: inopua http://www.protocolostomy.com/2008/03/11/what-i-learned-about-python-today-eval/comment-page-1/#comment-188 inopua Tue, 11 Mar 2008 17:06:15 +0000 http://www.protocolostomy.com/2008/03/11/what-i-learned-about-python-today-eval/#comment-188 Then what about ?import sys;sys.exit();=whatever ? Then what about

?import sys;sys.exit();=whatever

?

]]>