On Fri, Sep 30, 2011 at 11:31 PM, Jason Swails <jason.swa...@gmail.com> wrote: > Hello everyone, > > I'm probably missing something pretty obvious, but I was wondering if there > was a way of executing an arbitrary line of code somehow (such as a line of > code based on user-input). There's the obvious use of "eval" that will > evaluate a function call, but that doesn't allow all things. <snip> > Because write is a function eval works fine for it. But since print isn't > (2.7), it throws a syntax error. Likewise, variable assignments aren't > allowed either as they are also not functions and lack a return value: <snip>
Use the `exec` statement, which is capable of executing statements (as opposed to just expressions): http://docs.python.org/reference/simple_stmts.html#the-exec-statement > What I'm more or less looking to do is present a (limited) form of an > interpreter inside the application I'm writing for the advanced user. > > I'm also interested to hear if this is a particularly bad idea for any > reason, It's potentially rather hacky and ad-hoc to effectively directly inject arbitrary statements at certain points in your code. Assuming you were to trust the user-provided code, callbacks/hooks or plugin modules are typically much cleaner ways to integrate custom code from the user. Depending on your particular use case, the `cmd` module might also be a workable alternative: http://docs.python.org/library/cmd.html > and if there are security issues involved with allowing users to > execute their own code inside my program (keeping in mind that some people > may "donate" their scripts to others that may run them as black boxes). It is *very much* a security issue! > Is > it enough to disallow import statements, thereby not giving direct access to > the sys and os modules? Not by a long shot! There are a bunch of known tricks that exploit introspection to circumvent such restrictions. Secure execution of untrusted Python code is a difficult problem. Some have accomplished it to a degree, but typically only by modifying the interpreter itself or imposing relatively onerous restrictions on the untrusted code. > I know more or less what I want to do, but I'd also > appreciate any experienced input/advice/suggestions. I additionally came across this in researching my reply: http://pypi.python.org/pypi/RestrictedPython/ Apparently the speed of execution leaves something to be desired, but the package /supposedly/ works well otherwise. Cheers, Chris -- http://rebertia.com -- http://mail.python.org/mailman/listinfo/python-list
