0

I am creating a Django application that stores an equation with variables that needs to be calculated in the backend. i.e. the user would store the following as a string:

{rower_weight}/({rower_time})^3

where rower_weight ad rower_time are variables. Then, in the backend (upon receiving new data) would store a calculated field based on the formula.

I considered using eval or f-strings, however would be unsafe with user input. What would be the best alternative that would allow for unsafe user input to be used?

Thanks!

Jack Miller
  • 5
  • 3
  • That would be extraordinarily unsafe. Yes, definitely don't use `eval` for this. Are the entire equations provided by the user, or are they just supplying the input data? If it's the latter, just make some functions representing the equations, and then give the functions the user input. – Carcigenicate Oct 25 '22 at 23:56
  • Hi @Carcigenicate - the user inputs the equations unfortunately. It is a feature that allows the user to modify the way in which the power: weight conversion is calculated. – Jack Miller Oct 26 '22 at 00:33
  • Then I'd go with the duplicate suggestions. Make or install an expression parser that safely handles this. If you only have a few operators you need to support, this wouldn't be too hard. Absolutely do not use `eval` for this though. You'd be asking to be hacked. – Carcigenicate Oct 26 '22 at 00:44

0 Answers0