[Tutor] two input acceptions

Alan Gauld alan.gauld at btinternet.com
Sat May 19 09:28:19 CEST 2007

"Rolando Pereira" <finalyugi at sapo.pt> wrote
> what did you mean when you were talking about the raw_input( )?  
> How can the regular input( ) be used evilly?  

raw_input() is the preferred way to read input from a user.
It only reads the raw input as typed by the user  so it always 
returns a string which you then need to convert to another 
type (like an int) if you need to. This gives you more controil 
over what kind of data your program receives.

input() by contrast reads the string input by the user and tries 
to evaluate it as a Python expression. Thus if the user typed

import os;os.system('format c:\')

Python would try to evaluate that as a python string 
and it could format your C drive. (In practice it would 
throw up a prompt and hopefully you would say no!)
It might not be something as obvious as that, it 
could simply deactivate your firewall, or add a new 
user account to your PC, anything that enables a 
subsequent attack to do more damage.

The attack might not be deliberate, sometimes 
accidentally typed errors can result in code being 
executed that you didn't want.

But thats why input() is best used in very strictly 
controlled environments - like at the >>> prompt when 
you are testing/developing code. But use raw_input plus 
a conversion function for finished code.

> When I run the program and input the rectangle option, 
> it asks me for a radius, 

Your code is unreadable and I don't have the time 
or inclination to try to unpick it. Can you send as plain 
text or as an attachment please?

Alan G

More information about the Tutor mailing list