I just responded to a question on c.l.py a user had about feeding empty strings to input(). While he didn't say why he called input(), I suspect he thought the semantics were more like raw_input(). In these days of widespread Internet nastiness, shouldn't input() be deprecated? -- Skip Montanaro (skip@pobox.com - http://www.mojam.com/)
I just responded to a question on c.l.py a user had about feeding empty strings to input(). While he didn't say why he called input(), I suspect he thought the semantics were more like raw_input().
In these days of widespread Internet nastiness, shouldn't input() be deprecated?
Why? I imagine this is only used for interactive input, and then it's the computer's owner who is typing. --Guido van Rossum (home page: http://www.python.org/~guido/)
>> I just responded to a question on c.l.py a user had about feeding >> empty strings to input(). While he didn't say why he called input(), >> I suspect he thought the semantics were more like raw_input(). >> >> In these days of widespread Internet nastiness, shouldn't input() be >> deprecated? Guido> Why? I imagine this is only used for interactive input, and then Guido> it's the computer's owner who is typing. Yes, but what if the program containing calls to input() get shipped to someone else's computer? It just seems to me that a) input is almost never what you want to call and that b) it would seem to a naive programmer to be the correct way to ask the user for a line of input. Skip
Guido> Why? I imagine this is only used for interactive input, Guido> and then it's the computer's owner who is typing.
Yes, but what if the program containing calls to input() get shipped to someone else's computer? It just seems to me that a) input is almost never what you want to call and that b) it would seem to a naive programmer to be the correct way to ask the user for a line of input.
I don't see the security problem. Can you explain a scenario where this causes a security risk? If the user of the program types something evil in the input box they screw themselves! --Guido van Rossum (home page: http://www.python.org/~guido/)
Guido> Why? I imagine this is only used for interactive input, and then Guido> it's the computer's owner who is typing. >> Yes, but what if the program containing calls to input() get shipped >> to someone else's computer? It just seems to me that a) input is >> almost never what you want to call and that b) it would seem to a >> naive programmer to be the correct way to ask the user for a line of >> input. Guido> I don't see the security problem. Can you explain a scenario Guido> where this causes a security risk? If the user of the program Guido> types something evil in the input box they screw themselves! Fine. Let's drop it. Skip
[Skip Montanaro]
Yes, but what if the program containing calls to input() get shipped to someone else's computer? It just seems to me that a) input is almost never what you want to call and that b) it would seem to a naive programmer to be the correct way to ask the user for a line of input.
One of my favorite papers for the upcoming Python Conference describes the use of Python in a CAD system for chip design. The authors had indeed used input(), and didn't know that it eval'ed expressions. The program's users discovered it first, succumbing to a natural urge to type expressions in the input fields. One of the things that made this paper a favorite is that the authors didn't whine about this: to the contrary, they were delighted to get the kudos for Guido's good intuition about what a kick-ass input() function should do. guido-never-drives-before-a-few-stiff-drinks-either<wink>-ly y'rs - tim
Guido van Rossum wrote:
I just responded to a question on c.l.py a user had about feeding empty strings to input(). While he didn't say why he called input(), I suspect he thought the semantics were more like raw_input().
In these days of widespread Internet nastiness, shouldn't input() be deprecated?
Why? I imagine this is only used for interactive input, and then it's the computer's owner who is typing.
input() can also be used effectively in interactive apps (calculators, scripting engines for GUI apps) in contexts where the users can be trusted. Not _everything_ is on the web, luckily, and not everything needs to be evildoer-proof... That doesn't mean that I think the naming choices for input() and raw_input() have withstood the test of hindsight, but few things do... --david
participants (4)
-
David Ascher
-
Guido van Rossum
-
Skip Montanaro
-
Tim Peters