[Tutor] role playing game - help needed
Steven D'Aprano
steve at pearwood.info
Sun Dec 12 04:39:19 CET 2010
David Hutto wrote:
> On Sat, Dec 11, 2010 at 11:54 AM, Lie Ryan <lie.1296 at gmail.com> wrote:
>> On 12/07/10 23:37, Robert Sjöblom wrote:
>>> I've been told to use input() if I know that I'll only get integers,
>>> and raw_input() for "everything."
>> That is a bad piece of advice. You should only use input() when you can
>> fully trust whoever doing the input (i.e. you).
>
> Who uses the crap we, as noobies produce? It's pie in the sky
> mentality. We design it because WE want it and WE(individually) use
> it.
Do you want to learn good habits or learn bad habits? I think we've seen
plenty of evidence on this mailing list that you have little interest in
learning good habits, but actively defend your right learn bad habits.
There are plenty of people who do the same. They're harmless and even
pathetically amusing as newbies, and then they get a job working as a
professional programmer, and end up writing crappy, bug-addled code
filled with the sort of n00b errors that we've been warning about.
Bug-addled code with *real* consequences.
Command injection bugs are hugely common in the real world. At least
four of the 25 most common security bugs in *professional* software are
in my opinion varieties of the command injection flaw, and one of those
is the SECOND most common flaw:
SQL injection attack #2 most common
Unrestricted upload of dangerous files #8 most common
OS command injection #9 most common
PHP file inclusion attack #13 most common
http://cwe.mitre.org/top25/
OS command injection is *exactly* the sort of thing we're warning about.
Feel free to continue learning bad habits, but please stop trying to
encourage others to do the same.
--
Steven
More information about the Tutor
mailing list