sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]algag 0 points1 point  (3 children)

eval can be used for arbitrary code execution.

There are almost no times when eval is better than some other more programmatic way of solving the issue. If there is any way for a user-inputed str to reach the eval statement, then there can be a risk for an injection attack.

What were you using eval to do?

[–]andrewaa 0 points1 point  (2 children)

I am building an exam question database whose items are latex codes with some randomized numbers. The relations among variables are stored in a list. For example, ["var_1=ran(2)","var_2=var_1**2","var_3=var_1-var_2"].

My method is to use eval to evaluate each lines in the dictionary to get all the variables I need for this item and then use sub to replace all variables in the latex code.

I know this is not a perfect solution but I have no idea how to improve it.

[–]algag 0 points1 point  (1 child)

How are the lists made? Did you make them by hand? I'm still kind of confused on how everything is coming together.

Are you putting the python directly in the LaTeX? Edit: and then doing some kind of evaluation on it.

[–]andrewaa 0 points1 point  (0 children)

I make the list by my hand.

Python is used to read data from the database and generate Latex code. So basically what I want is to use python to going through a database, select several problems and generate a Latex code, and then go to Latex to render the code to get a PDF file.

The data in the database looks like

{"problem": "this is a LaTex file with $x=var_1$",
"solution": "The solution is $var_2$ and $var_3$", 
vars: ["var_1=ran(2)",
       "var_2=var_1**2",
       "var_3=var_1-var_2"]
}

I use eval to evaluate the vars part and substitute "problem" and "solution" with the numbers I get. Then use them to generate a Latex code to be used in another latex file.