Geek Answers Handbook

Python book - Zelle uses eval (), right?

PLEASE NOTE: this is NOT about using eval (), it's about the potential quality (or lack thereof) of the book in which it is used and what it was taught. SO already has countless threads about eval () in Python.

At the risk of inviting anger and downvotes SO, I nonetheless decided to ask this question, just in case. Please carry me. I tried Google and SO myself on this particular issue (as you will see) and received nothing. I could be blind.

This question is about using the notorious eval () function.

There is a relatively well-known (and well-revised, as you can see) John Celle book: http://www.amazon.com/Python-Programming- Introduction-Computer-Science / dp / 1590282418 / ref = pd_sim_b_3

Technically, this is a CS1 book that uses Python as a programming language. Fairly enough, it takes some responsibility on the shoulders of the author ("Hey, I'm trying to teach you something broad here, not all of these syntaxes and security details"), but when I started reading, I noticed, literally in the very first example use

x = eval(input("Enter your number: "))

where x must be int and therefore we need to convert user input to int.

I use Python 2.7.4 and the book is about Python 3, so from the very beginning I ran into pretty big problems with print () and input () and eval (), and I had to do some research to bring the examples to work. In the course of my research, I read countless opinions about eval () in Python (mainly here on SO), which boil down to the fact that this is almost always bad, security risk, unnecessary technical overhead, and so on. User questions were much more complicated (there was one about using eval () when running a wxPython project), so I cannot vouch for the general similarity between my case and their cases, but still ...

So, I admit that I'm not too far from the book, but I got to the point that after a while the author explained the use of eval () without reference to its controversial nature. He basically said what I just said: we need x, in the end, to be int, so here is a convenient way to do this. And he seems to use it ever.

My question is this: if, from the very beginning, the author makes such a mistake (or is it NOT a mistake? Maybe I missed something here), is it worth studying the book? I believe that Mr. Zell is a great CS teacher, and he shows whether he wants to or not, people will still learn Python from his book, in addition to algorithms and the art of programming. So is it worth learning Python from a book that was silent about such a seemingly universal problem in the Python community? I don’t want Mr. Zell to be a Python hacker and reveal all his secrets, but small details like these can make or break someone who is self-educated / self-taught. What will be your advice regarding this training material?

PS On the other hand, forcing me to do quite a bit of research and experimentation (involuntarily) from the very beginning, it's pretty cool :-)

Thanks!

+7
source share
5 answers

As the author of the book in question, let me weigh this issue.

Using eval in a book is pretty much a historical artifact of converting from Python 2 to Python 3 (although the same “flaw” exists when using input in Python 2). I am well aware of the dangers of using eval in production code, where the input may come from an unreliable source, but the book does not deal with production code for a web system; it's about learning some CS principles and programming. There really is nothing in the book that could be remotely considered as production code. My goal is to always use the simplest approach, which allows me to illustrate what I'm trying to do, and eval helps to do this.

I disagree with the crowd declaring eval to be evil in all contexts. This is very convenient for simple programs and scripts that are managed only by their author. In this context, it is completely safe. It allows you to use simple multiple inputs and expressions as an input. Pedagogically, he emphasizes the concept of evaluating expression. Eval reveals all the power (and danger) of the interpreted language. I use eval all the time in my personal programs (and not just in Python). Looking back, I absolutely agree that I should have included some discussion of the potential risks of eval; in any case, this is what I always do in my classes.

The bottom line is that there are many ways in which this book could be improved (there is always one). I don't think using eval is a fatal error; it is suitable for the types of programs illustrated and the context in which these programs appear. I don't know any other “insecurities” about how Python is used in the book, but you should be warned (as the Preface explains) that there are many places where the code is not entirely “Pythonic”.

+9
source

Yes, that’s wrong. But I think I know why he is there.

Many people use input() in Python 2.x, which is a very unfortunately named function because it not only reads input, but also evaluates it. The 2to3 converter converts each use of input() to eval(input()) , as you can see:

 $ cat test.py x = input("Enter your number: ") $ 2to3 test.py RefactoringTool: Skipping implicit fixer: buffer RefactoringTool: Skipping implicit fixer: idioms RefactoringTool: Skipping implicit fixer: set_literal RefactoringTool: Skipping implicit fixer: ws_comma RefactoringTool: Refactored test.py --- test.py (original) +++ test.py (refactored) @@ -1 +1 @@ -x = input("Enter your number: ") +x = eval(input("Enter your number: ")) RefactoringTool: Files that need to be modified: RefactoringTool: test.py

So I guess it's just a little messy. From Amazon description:

This is the second edition of John Zelle's Python programming program, updated for Python 3.

I think someone ran 2to3 in all the code examples without checking the output carefully enough. So yes, it was a mistake to use input() in Python 2.x, and it was a mistake to use 2to3 without checking the output.

+5
source

Since eval so inappropriate and unnecessary in the example you are giving, I would of course doubt the safety of other parts of the book. Does the author submit a suggestion to add a string entered by the user to the SQL query?

I think it's worth finding the author's email address and asking about it directly.

+4
source

It’s good to combine eval () and input () in this way, creating a rudimentary, but possibly very harmful “wrapper”. I did not read the book, but I would take it with salt. This is not just bad practice; it implements one deadly combination of functions.

+3
source

Yes, eval should be written evil instead, to warn people about it;) You should try and never use it unless you absolutely need to. In this case, intuitively use int() instead, it is even much more readable! In addition, if you really needed to use ast.literal_eval (it only evaluates literals, as the name implies, so it will not allow the user to run malicious code), which is actually safe, but this is not necessary, and there is no need for eval() in this case.

+2
source

More articles:


All Articles