[Tutor] two input acceptions

Bob Gailer bgailer at alum.rpi.edu
Sat May 19 16:41:43 CEST 2007

Alan Gauld wrote:
> "Rolando Pereira" <finalyugi at sapo.pt> wrote
>> what did you mean when you were talking about the raw_input( )?  
>> How can the regular input( ) be used evilly?  
> raw_input() is the preferred way to read input from a user.
> It only reads the raw input as typed by the user  so it always 
> returns a string which you then need to convert to another 
> type (like an int) if you need to. This gives you more controil 
> over what kind of data your program receives.
> input() by contrast reads the string input by the user and tries 
> to evaluate it as a Python expression. Thus if the user typed
> import os;os.system('format c:\')
Err... are you confusing eval with exec?

input( 	[prompt])

    Equivalent to eval(raw_input(prompt)). 

> Python would try to evaluate that as a python string 
> and it could format your C drive. (In practice it would 
> throw up a prompt and hopefully you would say no!)
> It might not be something as obvious as that, it 
> could simply deactivate your firewall, or add a new 
> user account to your PC, anything that enables a 
> subsequent attack to do more damage.
> The attack might not be deliberate, sometimes 
> accidentally typed errors can result in code being 
> executed that you didn't want.
> But thats why input() is best used in very strictly 
> controlled environments - like at the >>> prompt when 
> you are testing/developing code. But use raw_input plus 
> a conversion function for finished code.
>> When I run the program and input the rectangle option, 
>> it asks me for a radius, 
> Your code is unreadable and I don't have the time 
> or inclination to try to unpick it. Can you send as plain 
> text or as an attachment please?
> Alan G
> _______________________________________________
> Tutor maillist  -  Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor

Bob Gailer

More information about the Tutor mailing list