numeric expression from string?

[Brian Blais]

Hello,

I have a string input from the user, and want to parse it to a number, and would like
to know how to do it. I would like to be able to accept arithmetic operations, like:

'5+5'
'(4+3)*2'
'5e3/10**3'

I thought of using eval, which will work, but could lead to bad security problems
(not that it's a big deal in my app, but still...)

string.atof won't do the job. Is there a preferred way of doing this?


thanks,


Brian Blais

 

[Steven D'Aprano]

Hello,

I have a string input from the user, and want to parse it to a number, and would like
to know how to do it. I would like to be able to accept arithmetic operations, like:

'5+5'
'(4+3)*2'
'5e3/10**3'

I thought of using eval, which will work, but could lead to bad security problems
(not that it's a big deal in my app, but still...)

It is good to be cautious. Big thumbs up. But what exactly are you worried
about? Do you think your users might enter something Evil and break their
own system? I'd suggest that's not your problem, and besides, it is hard
to think of anything they could do with eval that they couldn't do by
exiting your app and running something Evil in their shell prompt.

Are you running this script as a cgi script? Then remote users might use
eval to break your system, and you are right to avoid it.

Are you worried about angry customers calling you up with bizarre bugs,
because they entered something weird into their input string? One
possible way to avoid those problems is to validate the string before
passing it to eval:

goodchars = "0123456789+-/*()eE."
for c in user_input:
if c not in goodchars:
raise ValueError("Illegal character detected!")
result = eval(user_input)

string.atof won't do the job. Is there a preferred way of doing this?

Look into PyParsing:

http://cheeseshop.python.org/pypi/pyparsing/1.3.3

If you read back over the Newsgroup archives, just in the last week or so,
there was a link to a PyParsing tutorial.

 

[Diez B. Roggisch]

Hello,

I have a string input from the user, and want to parse it to a number,
and would like to know how to do it. I would like to be able to accept
arithmetic operations, like:

'5+5'
'(4+3)*2'
'5e3/10**3'

I thought of using eval, which will work, but could lead to bad security
problems (not that it's a big deal in my app, but still...)

string.atof won't do the job. Is there a preferred way of doing this?

No. If you already know about the pro and cons of eval, either go for it
- or if it bothers you, write a parser using pyparsing and evaluate the
expressions yourself.

Regards,

Diez

 

[Claudio Grondi]

Hello,

I have a string input from the user, and want to parse it to a number,
and would like to know how to do it. I would like to be able to accept
arithmetic operations, like:

'5+5'
'(4+3)*2'
'5e3/10**3'

I thought of using eval, which will work, but could lead to bad security
problems (not that it's a big deal in my app, but still...)

string.atof won't do the job. Is there a preferred way of doing this?


thanks,


Brian Blais

I have no idea if it is the right thing for what you need, so it would
be nice to get response if it is or not:
http://www.strout.net/python/pythonica.html

Claudio

 

[Giovanni Bajo]

I have a string input from the user, and want to parse it to a
number, and would like to know how to do it. I would like to be able
to accept arithmetic operations, like:

'5+5'
'(4+3)*2'
'5e3/10**3'

I thought of using eval, which will work, but could lead to bad
security problems (not that it's a big deal in my app, but still...)

eval() is the preferred way unless you have serious security reasons:
.... try:
.... return float(eval(s, dict(__builtins__=None)))
.... except Exception, e:
.... raise ValueError, "error during expression evaluation: %s" % e
....Traceback (most recent call last):
File "<stdin>", line 1, in ?
Traceback (most recent call last):
File "<stdin>", line 1, in ?
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File "<stdin>", line 5, in calc
ValueError: error during expression evaluation: unexpected EOF while parsing
(line 1)Traceback (most recent call last):
File "<stdin>", line 1, in ?
File "<stdin>", line 5, in calc
ValueError: error during expression evaluation: name 'type' is not defined


Of course, one can still bring your system to its knees when
"1000**1000000000000000"...

 

[Brian Blais]

It is good to be cautious. Big thumbs up. But what exactly are you worried
about? Do you think your users might enter something Evil and break their
own system? I'd suggest that's not your problem, and besides, it is hard
to think of anything they could do with eval that they couldn't do by
exiting your app and running something Evil in their shell prompt.

yeah, I guess when you think about it, there really isn't a problem. I figured that
someone might accidentally do damage to their system with an unchecked eval.

Are you running this script as a cgi script? Then remote users might use
eval to break your system, and you are right to avoid it.

no I am not, but it is good to know how to deal with it in this case too.


thanks!


bb

 

[Alex Martelli]

someone might accidentally do damage to their system with an unchecked eval.

Nah, it takes malice and deliberation to damage a system from an eval.


Alex

 

[Blair P. Houghton]

Do you think your users might enter something Evil and break their own system?

That's not usually how it works.

How it usually works is:

1. Innocent code-monkey writes nifty applet, posts on usenet.
2. Innocent but dull-witted framework manufacturer includes nifty
applet in Next Big Thing framework.
2. Innocent webmaster uses framework to design entire website,
dragging and dropping input boxes validated by nifty applet all over
the place.
3. Budding malevolent self-deceived "just fooling around" script
kiddie enters evil string into vulnerable buffer passed nifty applet,
taking down innocent webmaster's system. Posts astonishment on
#dickwar3z irc channel.
4. Genuinely malevolent wiseguy/blackmailer/terrorist blackhat stores
sploit for later inclusion in rootkit-laying worm suite.
5. Randal Schwartz goes to jail.

--Blair

 

[Blair P. Houghton]

Do you think your users might enter something Evil and break their own system?

That's not usually how it works.

How it usually works is:

1. Innocent code-monkey writes nifty applet, posts on usenet.
2. Innocent but dull-witted framework manufacturer includes nifty
applet in Next Big Thing framework.
2. Innocent webmaster uses framework to design entire website,
dragging and dropping input boxes validated by nifty applet all over
the place.
3. Budding malevolent self-deceived "just fooling around" script
kiddie enters evil string into vulnerable buffer passed nifty applet,
taking down innocent webmaster's system. Posts astonishment on
#dickwar3z irc channel.
4. Genuinely malevolent wiseguy/blackmailer/terrorist blackhat stores
sploit for later inclusion in rootkit-laying worm suite.
5. Randal Schwartz goes to jail.

--Blair