Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #22318 > unrolled thread
| Started by | Chris Angelico <rosuav@gmail.com> |
|---|---|
| First post | 2012-03-29 11:07 +1100 |
| Last post | 2012-03-29 11:07 +1100 |
| Articles | 1 — 1 participant |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: RE: Advise of programming one of my first programs Chris Angelico <rosuav@gmail.com> - 2012-03-29 11:07 +1100
| From | Chris Angelico <rosuav@gmail.com> |
|---|---|
| Date | 2012-03-29 11:07 +1100 |
| Subject | Re: RE: Advise of programming one of my first programs |
| Message-ID | <mailman.1103.1332979676.3037.python-list@python.org> |
Thu, Mar 29, 2012 at 9:36 AM, Anatoli Hristov <tolidtm@gmail.com> wrote:
>> > > Um, at least by my understanding, the use of Pickle is also dangerous
>> > > if you are not completely sure what is being passed in:
>> >
>> > Oh goodness yes. pickle is exactly as unsafe as eval is. Try running
>> > this code:
>> >
>> > from pickle import loads
>> > loads("c__builtin__\neval\n(c__builtin__\nraw_input\n(S'py>'\ntRtR.")
>>
>> It might be as dangerous, but which is more likely to cause problems in
>> real world scenarios?
>
> Guys this is really something that is not that important at this time for
> me
Maybe not, but it's still worth being aware of. Even if today your
strings will never include apostrophes, it's still important to
understand the risks of SQL injection and properly escape them before
inserting them into an SQL statement. Just docket the information in
the back of your mind "Don't use pickle with untrusted data" and move
on. :)
ChrisA
Back to top | Article view | comp.lang.python
csiph-web