[Tutor] two input acceptions
alan.gauld at btinternet.com
Sat May 19 09:28:19 CEST 2007
"Rolando Pereira" <finalyugi at sapo.pt> wrote
> what did you mean when you were talking about the raw_input( )?
> How can the regular input( ) be used evilly?
raw_input() is the preferred way to read input from a user.
It only reads the raw input as typed by the user so it always
returns a string which you then need to convert to another
type (like an int) if you need to. This gives you more controil
over what kind of data your program receives.
input() by contrast reads the string input by the user and tries
to evaluate it as a Python expression. Thus if the user typed
import os;os.system('format c:\')
Python would try to evaluate that as a python string
and it could format your C drive. (In practice it would
throw up a prompt and hopefully you would say no!)
It might not be something as obvious as that, it
could simply deactivate your firewall, or add a new
user account to your PC, anything that enables a
subsequent attack to do more damage.
The attack might not be deliberate, sometimes
accidentally typed errors can result in code being
executed that you didn't want.
But thats why input() is best used in very strictly
controlled environments - like at the >>> prompt when
you are testing/developing code. But use raw_input plus
a conversion function for finished code.
> When I run the program and input the rectangle option,
> it asks me for a radius,
Your code is unreadable and I don't have the time
or inclination to try to unpick it. Can you send as plain
text or as an attachment please?
More information about the Tutor