Sanity and safety check: "getattr" in place of "eval"/"exec"?

I’m trying to clear out some of the uses of “eval” and “exec” in my code, thinking that they may introduce security issues. To that end, I’m currently replacing them with calls to “getattr”. Something like this:

Instead of:

eval("someObj.scriptObj." + someObj.scriptToCall + "(parameter1, parameter2)")

I’m now using this:

getattr(someObj.scriptObj, someObj.scriptToCall)(parameter1, parameter2)

Now, this seems reasonable and functional. However, I’m not all that familiar with the particulars of using “getattr”, and find myself a little anxious that there might be lurking caveats, or performance considerations.

So, I’d like to check, if I may: Are there any problems with my new approach? Does it introduce new security concerns, or problems with certain usages, or an impact to performance? Or other issues that may not have occurred to me?

1 Like

No. Getattr is what Python uses under the hood every time you use ., including in an eval(), so certainly this will be a big improvement in every respect.

Ah, that’s good and relieving to know, thank you! :slight_smile: