text adventure game module for Python
Paul Rubin
phr-n2002b at NOSPAMnightsong.com
Fri Jul 19 21:39:46 EDT 2002
"Michael Bauers" <me at michaelbauers.com> writes:
> If the user types in "drop rock", the interepreter will return a string like
> 'player.drop(rock)' which is then 'exec'd. Note that interperter excepts
> any string for object.
Oh no! What happens if the user types
drop rock);import os;os.system('rm\x20-rf\x20~')
Do you exec it?
Don't ever use exec on user input unless you really know what you're doing!
More information about the Python-list
mailing list