python 2.7.12 on Linux behaving differently than on Windows
Paul Moore
p.f.moore at gmail.com
Mon Dec 5 10:11:18 EST 2016
On Monday, 5 December 2016 14:11:34 UTC, BartC wrote:
> On 05/12/2016 12:23, Chris Angelico wrote:
> > On Mon, Dec 5, 2016 at 10:42 PM, BartC <bc at freeuk.com> wrote:
> >> At least Windows does it properly. It doesn't even chop the command line
> >> into different parameters, making it considerably more flexible. (Unless you
> >> have a program based on a C-style main(nargs,args) entry point where the C
> >> runtime will do this for you.)
> >
> > Yes, because there's no way that you can ever get security problems
> > from improperly parsing command-line arguments.
>
> And you will never get any problems if a program expects 3 parameters
> but instead gets some arbitrary number of arguments, perhaps thousands,
> if one happens to be *, including some that could coincide with some
> actual meaningful input that the program recognises.
Windows and Linux are different. Neither is unambiguously "right" nor is either unambiguously "wrong". In both cases you need to understand what happens when you type a command, or you *will* get caught out by corner cases.
Calling either approach "dumb" is neither helpful nor productive.
For this specific example, of a program that takes a fragment of SQL as its command line, is one that's very hard to handle cleanly in a cross-platform way, because you actually don't want the shell, or the application, to interpret your arguments for you. The "best" approach is often to accept the SQL command as a single argument (argv[1]) and rely on your users quoting the argument appropriately. Admittedly, that simply pushes the problem onto your users, who may well also be uncomfortable with the subtleties of command line parsing, but at least they are using their choice of shell, so they have a chance of knowing.
The alternative, if you *really* don't want to force your users to understand shell parsing, is to prompt the user for the SQL - either as a simple console input, or (for users who are really uncomfortable with the command line) via a GUI program and a dialog box.
But criticising the (entirely valid, simply different) choices of another OS vendor as "dumb" isn't acceptable, nor is it a way to get to a solution to your issue.
Paul
More information about the Python-list
mailing list