Hacker News new | past | comments | ask | show | jobs | submit login
Don't be lazy. Don't use eval(). (thetonk.com)
3 points by azanar on June 12, 2009 | hide | past | favorite | 6 comments



The most noteworthy thing about this (misguided) post is that the blogger's professor responded, thoroughly (http://blog.thetonk.com/archives/dont-be-lazy-dont-use-eval#...) and the blogger gracefully backed down("I was proven wrong. It happens.")


I have to point out that (IMHO) you've taken that quote a _bit_ out of context. If you'll read the rest of my remarks, you'll see the qualification text: I was wrong about eval() in Python however my arguments remain standing in languages which don't support sandboxing - and, as a few readers pointed out, even Python's sandboxing isn't a sure bet. I used Python in my examples because that's where the original disagreement arose.


I think better advice would be "Don't use eval on user-supplied strings".

It is quite safe to use eval on strings you generate yourself. It's like using macros, but with added syntax errors.


That also works for marketing static typing - now with added syntax errors!


Reminds me of an Instructor I had who insisted against using printf calls with the format string created outside the call.


because he was right?

http://en.wikipedia.org/wiki/Format_string_bug




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: