[Tutor] dangers of input()
Jeff Shannon
jeff at ccvcorp.com
Tue Jul 20 22:43:40 CEST 2004
Dick Moores wrote:
> I was thinking of using input() instead of raw_input in my Frac.py
> (posted yesterday). This would enable the user to enter things such as
> "4**-3". Am I correct in assuming that this would be impossible to do
> without using input()? If so, I may go ahead with input()--I'm the only
> user, after all.
Well, it's not impossible to do it without input() -- input() itself
is equivalent to eval(raw_input()). You can use this equivalence to
limit things a bit, by providing some dictionaries to eval() to use in
place of globals() and locals(), which will provide some degree of
safety.
You could also, if you were really ambitious, parse the input string
yourself and thus have complete control over what operations were
allowed and not allowed. This is rather overkill for the project at
hand, though. ;)
But, given that you're the only user and you presumably have some idea
of the consequences of your actions (and nobody to blame but yourself
if something *does* go wrong ;) ), then using input() is a reasonable
solution.
Jeff Shannon
Technician/Programmer
Credit International
More information about the Tutor
mailing list