[python-win32] The input command

[Blair Hall]

Sorry not to have been clearer in my posting, but you
did interpret my meaning correctly.

Perhaps the following example will help to explain my question further.
Say I have the script:

         x = 3
         y = 5
         print input("write an expression in x and y: ")

If I run this in Pythonwin, and type 'x+y' when prompted, then I
get an exception. However, if I run the same script in a cmd window
it will print the expected answer '8'. (I tried it from IDLE too
and got the same result (8).)

Granted, there are security issues, but it seems to me that one might
want input to behave as it does in the cmd window (if one wanted 'input' at 
all).

Am I wrong?

Is there any simple way to fix, or emulate, this behaviour in Pythonwin?

At 19:07 23/06/2003 -0700, Jeff Shannon wrote:
>Blair Hall wrote:
>
>>Does the 'input' command work as it should inside Pythonwin?
>>
>>For example:
>>
>> >>> x = 3
>> >>> y = 5
>> >>> input("Please type in 'x+y': ") # type in the sum to the dialog
>>
>>gives me the error:
>>
>>Traceback (most recent call last):
>>   File "<interactive input>", line 1, in ?
>>   File "C:\Python22\lib\site-packages\Pythonwin\pywin\framework\app.py", 
>> line 368, in Win32Input
>>     return eval(raw_input(prompt))
>>   File "<string>", line 0, in ?
>>NameError: name 'x' is not defined
>
>
>It's not clear exactly what you're typing (i.e., what input() is 
>evaluating), but I gather that you're typing in the equation:
>
>x + y
>
>I believe that what's happening is that input() evaluates the keyboard 
>input in a separate, restricted scope.  In that scope, the x and y that 
>you just defined (outside of input() ) don't exist.  And this is a good 
>thing, because otherwise it would be very easy for input() to accidentally 
>stomp all over internal variables that an end user would have no idea exist.
>
>The input() function does operate properly from within PythonWin.
>
> >>> input('enter an equation: ')
>'ha ha ha '
> >>>
>
>The equation I entered was:   "ha " * 3
>Keep in mind that using input() is a *huge* security risk, since all sorts 
>of code can be typed in and run.  It's one thing if you're absolutely 
>certain that you're the only one who'll ever use a program, but using exec 
>or eval() on strings from a potentially untrusted source is very dangerous 
>(and input() implicitly uses eval(), as you noted). All it takes is 
>someone entering a line like "import os; os.system('rm -s /')" -- that 
>*will* run a shell command that could potentially wipe out the entire 
>system.  And there's subtler problems that are possible, too, which may 
>include accidents as opposed to deliberate malice like the above example.
>
>Jeff Shannon
>Technician/Programmer
>Credit International
>