0

i'm trying to make a web only using couchdb and couchapp...
but for some reason i need external process using python..
and now i'm stuck how to handle post variable in python...

i'v read this(and it works) and this...

but i want it like this :

>>> a = {"success":1,"data":{"var1":1,"var2":2,"var3":3}}
>>> a["data"]["var2"]
2
>>> var2

Traceback (most recent call last):
  File "<pyshell#2>", line 1, in <module>
    var2
NameError: name 'var2' is not defined
>>> for key, value in a["data"].items():
    print  (key, value)
('var1', 1)
('var3', 3)
('var2', 2)
>>> var1

Traceback (most recent call last):
  File "<pyshell#6>", line 1, in <module>
    var1
NameError: name 'var1' is not defined
>>>

i want, when i type var2, it return 2
in other word how to make nested child object become a variable when i don't know how much len the data.. it's because in external python, how to handle post variable is like this req["form"]["var1"]

Community
  • 1
  • 1
Egy Mohammad Erdin
  • 3,402
  • 6
  • 33
  • 57

3 Answers3

4

you should try to update your local (not recommended) or global dictionnary with your data dictionnary

>>> a = {"success":1,"data":{"var1":1,"var2":2,"var3":3}}
>>> a["data"]["var2"]
2
>>> locals().update(a["data"])
>>> var2
2

or 

>>> globals().update(a["data"])
>>> var2
2

To do this in a safe way, you have to trust the source of the data you're updating your globals dictionnary with, to avoid builtin's replacement or other funny code injections.

Cédric Julien
  • 78,516
  • 15
  • 127
  • 132
  • 6
    While a nice trick, this isn't recommended in real-world Python programming. – Eli Bendersky May 03 '11 at 10:09
  • Neat! But as Eli says docs confirm locals should not be modified... http://docs.python.org/library/functions.html – elliot42 May 03 '11 at 10:13
  • Well, we can update the globals dictionnary if the locals modification is not recommended – Cédric Julien May 03 '11 at 10:18
  • It's not the locals vs. globals distinction that matters. Mucking with both isn't a good idea - this is monkey patching – Eli Bendersky May 03 '11 at 10:24
  • I suspect the concern is that a user could pass a variable name that overwrites something you reference later in your code. A slightly better approach would be to have a list of "safe" variables and only allow those to be updated. – Carl F. May 03 '11 at 12:26
  • thanks... @Cedric. i accept your answer, clearly it is correct one.. but i think i will not use `local` or `global` update.. i don't know the security part before.. – Egy Mohammad Erdin May 04 '11 at 02:26
  • Avoid using this if you can at all; it is implementation dependent, and assigning to locals is *extremely* buggy and depends on the scope you do it in. – ninjagecko May 13 '11 at 05:35
2

Could use the python "exec" statement to build a string and then execute it dynamically.

a = {"success":1,"data":{"var1":1,"var2":2,"var3":3}}

for key, value in a["data"].items():
    exec('%s=%s' % (key, value, ))

print 'var1:', var1
print 'var2:', var2
print 'var3:', var3
FuzzyWuzzy
  • 763
  • 1
  • 6
  • 12
  • 1
    You could, but that would be more dangerous than updating locals! What if var2 is import subprocess; subprocess.popen('rm', '-rf', '/') – Carl F. May 03 '11 at 12:23
1

To do this safely, I would suggest something like:

allowed_variables = ('var1', 'var2', 'var3')

for k,v in a["data"].iteritems():
    if k in allowed_variables:
        locals.update({k:v})
Carl F.
  • 6,718
  • 3
  • 28
  • 41
  • +1 for the security... but can it still safely if i check that the it must be througt ajax call... so in my external proccess, check it first.. is it using ajax or not? if so then go on?? – Egy Mohammad Erdin May 03 '11 at 15:38
  • 1
    I don't think that is secure either. I could look at your AJAX code and modify it to inject variables with names I think you might use in your code -- things like os, sys, path, etc... Maybe I could overwrite details of my user session with one that has admin privileges. Once you overwrite locals, you can no longer trust any function or variable. It could have been over-written by a malicious user. – Carl F. May 04 '11 at 01:27
  • thanks.... i don't know that ajax can be injected too.. I think I will not use `local update`, if it can make my project be dangerous and injected.... thanks all, thanks stack user.. one more knowledge for me.. – Egy Mohammad Erdin May 04 '11 at 02:24