Simple explanation of security issues with input () vs raw_input ()
I was reading this Python 2.7 tutorial and they go raw_input()
and it mentions that:
The input () function will try to convert whatever you enter as if it were Python code, but it has security issues so you should avoid doing that.
I tried a few explanations for this, but still a little unclear to me; what's a simple explanation for alleged internal security issues with input()
vs raw_input()
?
source to share
A function input()
in Python 2.x evaluates things before returning.
So, as an example, you can take a look at this -
>>> input("Enter Something : ")
Enter Something : exit()
This will cause the program to exit (since it will evaluate exit ()).
Another example -
>>> input("Enter something else :")
Enter something else :__import__("os").listdir('.')
['.gtkrc-1.2-gnome2', ...]
This will display the contents of the current directory, you can also use functions such as os.chdir()
, os.remove()
, os.removedirs()
,os.rmdir()
source to share