[Tutor] role playing game - help needed

Steven D'Aprano steve at pearwood.info
Sun Dec 12 04:39:19 CET 2010

David Hutto wrote:
> On Sat, Dec 11, 2010 at 11:54 AM, Lie Ryan <lie.1296 at gmail.com> wrote:
>> On 12/07/10 23:37, Robert Sjöblom wrote:
>>> I've been told to use input() if I know that I'll only get integers,
>>> and raw_input() for "everything."
>> That is a bad piece of advice. You should only use input() when you can
>> fully trust whoever doing the input (i.e. you).
> Who uses the crap we, as noobies produce? It's pie in the sky
> mentality. We design it because WE want it and WE(individually) use
> it.

Do you want to learn good habits or learn bad habits? I think we've seen 
plenty of evidence on this mailing list that you have little interest in 
learning good habits, but actively defend your right learn bad habits.

There are plenty of people who do the same. They're harmless and even 
pathetically amusing as newbies, and then they get a job working as a 
professional programmer, and end up writing crappy, bug-addled code 
filled with the sort of n00b errors that we've been warning about. 
Bug-addled code with *real* consequences.

Command injection bugs are hugely common in the real world. At least 
four of the 25 most common security bugs in *professional* software are 
in my opinion varieties of the command injection flaw, and one of those 
is the SECOND most common flaw:

SQL injection attack #2 most common
Unrestricted upload of dangerous files #8 most common
OS command injection #9 most common
PHP file inclusion attack #13 most common


OS command injection is *exactly* the sort of thing we're warning about.

Feel free to continue learning bad habits, but please stop trying to 
encourage others to do the same.


More information about the Tutor mailing list