Using Python for date calculations

random832 at fastmail.us random832 at fastmail.us
Fri Nov 21 14:54:23 CET 2014


On Fri, Nov 21, 2014, at 05:33, alister wrote:
> the problem with input is code-injection which is very similar to sql 
> injection (httpd://xkcd.com/327).
> 
> the data entered by the user is processed as if it was python code, this 
> means the user could enter a command (or sequence of commands) that cause 
> serious problems to you computer including but not limited to:-

Except standard input for interactive programs is rarely across a
privilege boundary. The user can accomplish any of these far more easily
by entering a command into their shell. (Well, more easily depending on
which is better able to use the API for their central heating, but the
others certainly).

There are good reasons to avoid it (user is likely to be surprised by
weird error messages, causing a crash due to a typo), but this kind of
paranoia is the same as has people in some circles refusing to use
strlcpy or fgets because they can cause silent truncation.



More information about the Python-list mailing list