If you are going to use eval, and the data comes from somewhere else,
you should try safe_eval (http://code.activestate.com/recipes/364469/)
as a way to get the convenience of unpacking Python literals, but
without the danger of full evaluation.
If a malicious user could get data into that field, he could add
"[os.system('rm -rf /etc')]" to it, and a full eval would cause havoc,
for example.
--Ned.
http://nedbatchelder.com
timc3 wrote:
> Thanks for the help. Yeah, my terminology is quite often wrong, to
> much context switching with other things.
>
> Unfortunately I am never sure what will go in to that field, just data
> that's sourced from various types of media, and populated from another
> system. I do know that it will almost always probably be in that
> format though.
>
> So I am going to try your method, I have thought to fix it properly I
> should use a datatype within PostgreSQL that supports what I am trying
> to do, but alas Django doesn't support it and neither does the other
> application.
>
> >
>
>
--
Ned Batchelder, http://nedbatchelder.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
