Or, indeed, just parse the expression and pull the data out directly, avoiding the dangerous eval step entirely. That will most likely be faster, too.
On 12 January 2015 at 16:01, Steven G. Johnson <[email protected]> wrote: > On Monday, January 12, 2015 at 2:42:59 AM UTC-5, Ivar Nesje wrote: >> >> Note that there might be a security issue, because whoever inputs data to >> your program also get the ability to run arbitrary code on the computer. In >> a local setting where everyone who input data, also have access to changing >> the code, this isn't an issue, but be careful if you plan to take input >> from strangers (eg on a Web server). > > > In principle, you could call parse() on the string first, then walk the > AST to check that it only contains one of a small whitelist of allowed > expression types, and only then evaluate the parsed expression. >
