I was reading this Python 2.7 tutorial and they're going over raw_input()
, and it mentions that:
The input() function will try to convert things you enter as if they were Python code, but it has security problems so you should avoid it.
I tried Googling some explanations for this, but still a bit unclear to me; what's a simple explanation of the alleged inherent security issues with input()
vs raw_input()
?
The input()
function in Python 2.x evaluates things before returning.
So as an example you can take a look at this -
>>> input("Enter Something : ")
Enter Something : exit()
This would cause the program to exit (as it would evaluate exit()).
Another example -
>>> input("Enter something else :")
Enter something else :__import__("os").listdir('.')
['.gtkrc-1.2-gnome2', ...]
This would list out the contents of current directory , you can also use functions such as os.chdir()
, os.remove()
, os.removedirs()
, os.rmdir()
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With