[Zope] Re: Mysql get/set blob

Tres Seaver tseaver at zope.com
Sun Nov 21 21:19:37 EST 2004


Paul Winkler wrote:
> On Sun, Nov 21, 2004 at 02:36:36PM -0800, David Siedband wrote:
> 
>>I was thinking eval() combined with some sort of checking to make sure 
>>that the string being evaluated is in fact a valid dictionary...  Seems 
>>like pickling is a more secure way to store dictionaries.
> 
> 
> yeah, eval() should really be avoided unless you have some way
> to guarantee that the string you feed it cannot contain
> anything malicious.

Malicious pickles (now *there's* a band name) can be problematic, too, 
but the effort to create one is much higher than to create Python code.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com



More information about the Zope mailing list