[Tutor] Is my style OK in this elementary student exercise?

Rich Lovely roadierich at googlemail.com
Sun Jul 5 07:48:39 CEST 2009 

2009/7/4 Angus Rodgers <angusr at bigfoot.com>:
>>Date: Sat, 04 Jul 2009 13:26:12 +0100
>>From: Angus Rodgers <angusr at bigfoot.com>
>>Message-ID: <vrhu451924b136aea0ivadnlqc4h7uqavu at 4ax.com>

> My response to this [but see the afterthought below!] is that I
> definitely need to put into the documentation string something
> like "*** THIS FUNCTION IS HIGHLY VULNERABLE TO A MALICIOUS USER
> ***", so that I will be strongly warned NEVER to incorporate it
> into any program that might be used by anyone other than myself.
>
> It might also be a good idea to include some kind of brief warning
> in the user prompts. (This won't put off a malicious user, of course,
> but it would help to keep me in mind of the potential danger.)

I personally would never release code to any sort of public calling
eval on user-inputted (or even user-accessible) strings or using
input(), even if you had to go through fifteen different dialogue
boxes first (see below).  Also, at a beginner level, as soon as you
can manage without these, you should, perhaps even going so far as to
delete the old function, so you never run the risk of copy and pasting
when not paying much attention.

There are always ignorant users, who can influenced by malicious
users, and might not know what I mentioned in my previous is wrong,
therefore making warnings irrelevant.  To give a classic example, as
seen in IRC channels across the web:

<NewUser> How do I do XYZ in ABC?
<RandomJHacker> NewUser: Press Alt+F4 if you're on windows.
<NewUser> Thanks.
#NewUser has quit - connection reset by peer#
Later...
#NewUser has joined the channel#
<NewUser> Everytime I try to do XYZ, my IRC client shuts down.
<CodeChimp> NewUser: What command are you using?
<NewUser> CodeChimp: Alt+F4
<lurker69> lol
<CodeChimp> NewUser: That's a common problem.  You can fix it in the
config screen.  Bring it up by holding down Ctrl and Alt, and pressing
Del twice quickly.
<NewUser> ok
#NewUser has quit - connection reset by peer#
<lurker69> lol

Perhaps I enjoyed writing that a little too much... and I could easily
go on.  But I won't.  Email me for the continuing saga of NewUser.

Anyone at a level to need to use input() appropriatly is usually
capable of writing their own script to do so, and would probably just
be annoyed at any warnings you chose to stick in.  I've never gotten
to the point where I've needed input(). I'm curious to know whether
anyone on the list has.
-- 
Richard "Roadie Rich" Lovely, part of the JNP|UK Famile
www.theJNP.com

More information about the Tutor mailing list