Path: csiph.com!usenet.pasdenom.info!aioe.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <python-python-list@m.gmane.org>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.001
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'operator': 0.03; 'subsequent': 0.05; "'',": 0.07; 'column': 0.07; 'element': 0.07; 'subject:Question': 0.07; 'integers': 0.09; 'logic': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'subject:skip:a 10': 0.09; 'sure,': 0.09; "'0',": 0.16; "'in',": 0.16; "'is',": 0.16; 'boolean': 0.16; 'bracket': 0.16; 'bullet': 0.16; 'discarded': 0.16; 'entry.': 0.16; 'expressions,': 0.16; 'placeholder': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'timestamps': 0.16; 'tuple': 0.16; 'exception': 0.16; 'wrote:': 0.18; 'examples': 0.20; 'work,': 0.20; 'seems': 0.21; 'input': 0.22; 'header:User- Agent:1': 0.23; 'convenient': 0.24; 'entries': 0.24; 'string,': 0.24; 'compare': 0.26; 'defined': 0.27; 'header:X-Complaints- To:1': 0.27; 'header:In-Reply-To:1': 0.27; 'chris': 0.29; 'compared': 0.30; 'evaluation': 0.30; 'field,': 0.30; 'work.': 0.31; 'follows': 0.31; 'operators': 0.31; 'anyone': 0.31; 'regular': 0.32; 'guess': 0.33; 'received:co.za': 0.34; 'received:za': 0.34; 'problem': 0.35; "can't": 0.35; 'display': 0.35; 'something': 0.35; 'requirement': 0.35; 'test': 0.35; 'but': 0.35; 'scheme': 0.36; 'entry': 0.36; 'similar': 0.36; 'wrong': 0.37; 'list': 0.37; 'implement': 0.38; 'to:addr:python-list': 0.38; 'list,': 0.38; 'anything': 0.39; 'does': 0.39; 'to:addr:python.org': 0.39; 'changed': 0.39; 'either': 0.39; 'received:org': 0.40; 'according': 0.40; 'ensure': 0.60; 'easy': 0.60; 'above,': 0.60; 'no.': 0.61; 'first': 0.61; 'name': 0.63; 'field': 0.63; 'decided': 0.64; 'pick': 0.64; 'situation': 0.65; 'here': 0.66; 'frank': 0.68; 'received:41': 0.70; 'safe': 0.72; "'and'": 0.84; 'bite': 0.84; 'cuts': 0.84; 'safe.': 0.84; 'approach.': 0.91; 'divided': 0.91
X-Injected-Via-Gmane: http://gmane.org/
To: python-list@python.org
From: Frank Millman <frank@chagford.com>
Subject: Re: Question about ast.literal_eval
Date: Mon, 20 May 2013 15:26:02 +0200
References: <knci07$jol$1@ger.gmane.org> <BLU176-W37EB377C73CD6D7306247DD7AF0@phx.gbl> <knckj0$cft$1@ger.gmane.org> <CAPTjJmpb073XFH5ksNhzRyAJNSJF=6WNq5pGzed4PXqBrJBN=A@mail.gmail.com> <knclk6$lva$1@ger.gmane.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Gmane-NNTP-Posting-Host: 41-133-115-58.dsl.mweb.co.za
User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
In-Reply-To: <knclk6$lva$1@ger.gmane.org>
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.1888.1369056365.3114.python-list@python.org>
Lines: 69
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1369056365 news.xs4all.nl 15866 [2001:888:2000:d::a6]:59686
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:45619

On 20/05/2013 10:07, Frank Millman wrote:
> On 20/05/2013 09:55, Chris Angelico wrote:
>> Is it a requirement that they be able to key in a constraint as a
>> single string? We have a similar situation in one of the systems at
>> work, so we divided the input into three(ish) parts: pick a field,
>> pick an operator (legal operators vary according to field type -
>> integers can't be compared against regular expressions, timestamps can
>> use >= and < only), then enter the other operand. Sure, that cuts out
>> a few possibilities, but you get 99.9%+ of all usage and it's easy to
>> sanitize.
>>
>> ChrisA
>>
>
> It is not a requirement, no. I just thought it would be a convenient
> short-cut.
>
> I had in mind something similar to your scheme above, so I guess I will
> have to bite the bullet and implement it.
>

Can anyone see anything wrong with the following approach. I have not 
definitely decided to do it this way, but I have been experimenting and 
it seems to work.

I store the boolean test as a json'd list of 6-part tuples. Each element 
of the tuple is a string, defined as follows -

0 - for the first entry in the list, the word 'check' (a placeholder - 
it is discarded at evaluation time), for any subsequent entries the word 
'and' or 'or'.

1 - left bracket - either '(' or ''.

2 - column name to check - it will be validated on entry.

3 - operator - must be one of '=', '!=', '<', '>', '<=', '>=', 'in', 
'is', 'is not'. At evaluation time, '=' is changed to '=='.

4 - value to compare - at evaluation time I call 
str(literal_eval(value)) to ensure that it is safe.

5 - right bracket - either ')' or ''.

At evaluation time I loop through the list, construct the boolean test 
as a string, and call eval() on it.

Here are some examples -

check = []
check.append(('check', '', 'name', 'in', "('abc', 'xyz')", ''))

check = []
check.append(('check', '', 'value', '>=', '0', ''))

check = []
check.append(('check', '(', 'descr', 'is not', 'None', ''))
check.append(('and', '', 'alt', 'is', 'None', ')'))
check.append(('or', '(', 'descr', 'is', 'None', ''))
check.append(('and', '', 'alt', 'is not', 'None', ')'))

I don't plan to check the logic - I will just display the exception if 
it does not evaluate.

It seems safe to me. Can anyone see a problem with it?

Frank