On Mon, May 20, 2013 at 5:50 PM, Frank Millman <fr...@chagford.com> wrote: > On 20/05/2013 09:34, Carlos Nepomuceno wrote: >> Why don't you use eval()? >> > > Because users can create their own columns, with their own constraints. > Therefore the string is user-modifiable, so it cannot be trusted.
Plenty of reason right there :) Is it a requirement that they be able to key in a constraint as a single string? We have a similar situation in one of the systems at work, so we divided the input into three(ish) parts: pick a field, pick an operator (legal operators vary according to field type - integers can't be compared against regular expressions, timestamps can use >= and < only), then enter the other operand. Sure, that cuts out a few possibilities, but you get 99.9%+ of all usage and it's easy to sanitize. ChrisA -- http://mail.python.org/mailman/listinfo/python-list
