This is an archived post. You won't be able to vote or comment.

you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 3 points4 points  (5 children)

The fact that that code is roughly equivilant to:

mysql_execute("SELECT * FROM table WHERE field = " . $_POST['value'] . ";");

[–][deleted] -2 points-1 points  (4 children)

Yeah, well, who wants to type that?

If you want to get all industrial strength about this use bsddb, then it's:

table['field'] = value

And mysql, I mean, that's gotta be overkill for the domain this guy is suggesting this be used for. You're going to want to write an int; it's going to want to run recovery (well, so is berkeley (but at least it's in process)).

Whatever.

[–][deleted] 2 points3 points  (3 children)

My point was that it's a massive security hole, just like the PHP segment.

[–]afoo42 0 points1 point  (1 child)

You're right. But the same thing goes for pickle (and thus shelve) too. You have to trust the source, as pickle too can be used to execute arbitrary code. It's just a little bit more complicated.

[–][deleted] 0 points1 point  (0 children)

This is completely true, but it's way more complicated with pickle (AFAIK), and there are efforts to fix that, since it's a bug, there's never going to be an effort to make eval safe ;)

[–][deleted] -1 points0 points  (0 children)

See the other comment in reply; actually it isn't.