我可以利用eval()的方式被利用吗?

时间:2017-04-11 02:39:57

标签: python-3.6

我正在使用(非常hacky)eval()的实现来根据用户输入的内容创建动态句子。我很清楚使用eval()创建的安全问题,但我无法自己找一个。有没有,如果是的话,什么是替代解决方案?

name = request.POST['name']
food = request.POST['food']
sen = "My name is {name}. " + "My favorite food is {food}. " #Would be created from a database table which lists all of the forms but, for the purposes of this example, this is what that would look like.
f = f'f"{sen}"'
ee = eval(f)
print(ee)

0 个答案:

没有答案