@r000t I used to say the same thing : "Everything you do with eval can be done more safely without it". Then I thought of ONE use-case where this is not true. Evaluating signed static code downloaded from a remote source. Basically the equivalent of signed binaries loaded as a shared library, but for interpreted languages. That day, I stopped advising against eval, without considering what is done with it first :)
There's always going to be *some* valid use case. "I'm literally letting users pass in executable code because I wanted to provide add-ons" is the one I go to. And of course eval() and exec() can be used safely if you're sanitizing and validating the living shit out of the input.
Might I also suggest the performance argument? getattr() setattr() and hasattr() are likely orders of magnititude faster than setting up the interpreter for a single line.
@r000t Absolutely. :) I just wanted to enumerate at least one valid use case, in case some youngling found your original toot, and took it without a grain of salt. Do not use eval and do not use goto. Well. Most of the time :D
A Mastodon instance for info/cyber security-minded people.