So how does an expression like you suggested above (
innerDict['+newinnrkey+'] = newinnrval ) work then?
It seems like it wouldn't work without enclosing the expression with quotes
or double-quotes, and even then it seems like it would only become some
kind of string instead of a statement which would be automatically executed
to produce a result. Please explain or point me to some
documentation explaining this type of code or coding.
Thanks.
Henry
On Tuesday, March 10, 2015 at 4:49:48 PM UTC-5, Carl Meyer wrote:
> Hi Henry,
>
> On 03/10/2015 03:25 PM, Henry Versemann wrote:
> > I have a new dictionary that I want to build, using data from another
> > dictionary. I have a view which is receiving a single key/value pair
> > from the original dictionary. Then in the view I've defined the new
> > dictionary like this:
> >
> > innerDict = {}
> >
> > Now I want to make this as dynamic as possible so I'm trying to use the
> > "eval()" statement below to add the new key/value pair to the new
> > dictionary, which is declared above. Will the following code work to
> > actually add the new key/value pair to the new dictionary?
> >
> > innrDictCmnd = "innerDict['"+newinnrkey+"'] = newinnrval"
> > eval(innrDictCmnd)
> >
> > If not why not, and in lieu of the statements above not working, then
> > how would I do it?
>
> It doesn't work, because eval() only accepts expressions; assignment is
> a statement. Using exec() instead of eval() will work (though the way
> you have it written, it will always assign the string "newinnrval" --
> perhaps you meant to end innrDictCmnd with '... = ' + newinnrval).
>
> But regardless, you should not use either eval() or exec().
>
> Since you say this code is in a view, I assume that newinnrkey comes
> from request data (user input). Imagine what happens if I am a malicious
> user and I call this view with newinnrkey set to:
>
> '] = 0; import os; os.rm('/'); d = {}; d['
>
> Oops.
>
> Both exec() and eval() should be avoided. They are very rarely
> necessary, they usually make code less readable and maintainable, and if
> you ever accidentally pass user input to them, you've opened up a
> security hole in your application that someone could drive a truck
> through.
>
> For your case, what's wrong with just writing `innerDict[newinnerkey] =
> newinnerval`? It's every bit as dynamic as the version using eval or
> exec - the eval/exec gains you nothing.
>
> Carl
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/36ef505c-9957-4b68-964e-b8861e7fec14%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
