When to use input()?
Justin Sheehy
dworkin at ccs.neu.edu
Thu Dec 23 11:08:16 EST 1999
Gerrit Holl <gerrit.holl at pobox.com> writes:
> Can someone tell me a situation to use input()?
> Is it possible to run it in a rexec environment? If not, input() isn't
> only useless, but also unsafe.
> I think input() is bad because you pass the users input to eval() directly,
> so the user can do __import__('os').system('sh'). That can't be what
> you want.
Unless, of course, it is what you want.
There are plently of situations where this isn't dangerous at all. In
the case of a user manually executing a non-suid script, for instance,
they can't do anything as a result of input() that they couldn't do on
their own anyway.
There are many problem domains where input() is not appropriate. Most
networked or distributed applications are examples of such, as you
probably don't want users of your app to execute arbitrary code on
your server.
suid scripts or programs that manage to have some authorization to do
things that their user cannot do on his own should probably not use
input() either.
However, there are plenty of situations where input() is convenient,
useful and safe.
-Justin
More information about the Python-list
mailing list