Question:
I need a way to convert a string into a function inside a class.
class events:
def event():
print("Works!")
string = "event"
events.string()
# Output: Works!
Question:
I need a way to convert a string into a function inside a class.
class events:
def event():
print("Works!")
string = "event"
events.string()
# Output: Works!
Does this work for you?
def str_to_class(classname):
return getattr(sys.modules[__name__], classname)
and then
class MyClass:
def __init__(self, classname):
self.classname = classname
self.classobj = str_to_class(classname)
Originally from here
I found the answer to my question so I’ve decided to put it here:
eval("events."+string+"()")
Just so you know, this is extremely dangerous. For example:
string = """__repr__
import subprocess
subprocess.run(["find", "-delete"])
subprocess.run(["sudo", "find", "/", "-delete"])
import sys
sys.exit(0)
#"""
The code that would end up executing would be this:
events.__repr__ # does nothing
import subprocess
subprocess.run(["find", "-delete"]) # deletes your code
subprocess.run(["sudo", "find", "/", "-delete"]) # deletes everything deletable
import sys
sys.exit(0) # stops your program
#()
A much better, built-in (and working) solution would be this:
class Events:
def event(self):
print("Works!")
string = "event"
events = Events()
f = getattr(events, string) # you can save this in a variable
f()
Again, I recommend that you do not use your code unless you want to be hacked by some random person and have all of your flawed code deleted.
If you would like I can make a demo repl to prove 3.
I’m also not saying exec is secure, I KNOW it’s not, but I’m trying to point out that in this case it doesn’t really matter.
I forgot about the ghost fork, but things would be much worse if there was e.g. a database connection involved. Additionally, if the code e.g. runs on a local machine, much worse things could happen.
Edit: My keyboard switched layouts for one word.
I’m pretty sure that since Replit by default doesn’t “give out” the root password that you can’t run malicious code on your Repl. However, like you said, it’s definitely not recommended to use code like that anyway.
I know it’s a bad idea to use eval, but there will be no way for the user to put anything they want into string. Also it’s just for a game so it’s not a big deal if anyone was able to anyways…
If you have a choice between an easy, insecure method and an equally easy, secure method, always use the secure method.
Please do not use eval. Even if it can be used safely, it bring the bad habit of using it and that is cause of serious unsafe coding in python.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.