[Tutor] dangers of input()

Jeff Shannon jeff at ccvcorp.com
Tue Jul 20 22:43:40 CEST 2004

Dick Moores wrote:

> I was thinking of using input() instead of raw_input in my Frac.py 
> (posted yesterday). This would enable the user to enter things such as 
> "4**-3". Am I correct in assuming that this would be impossible to do 
> without using input()? If so, I may go ahead with input()--I'm the only 
> user, after all.

Well, it's not impossible to do it without input() -- input() itself 
is equivalent to eval(raw_input()).  You can use this equivalence to 
limit things a bit, by providing some dictionaries to eval() to use in 
place of globals() and locals(), which will provide some degree of 

You could also, if you were really ambitious, parse the input string 
yourself and thus have complete control over what operations were 
allowed and not allowed.  This is rather overkill for the project at 
hand, though. ;)

But, given that you're the only user and you presumably have some idea 
of the consequences of your actions (and nobody to blame but yourself 
if something *does* go wrong ;) ), then using input() is a reasonable 

Jeff Shannon
Credit International

More information about the Tutor mailing list