Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #45774

Re: Newbie question about evaluating raw_input() responses

References <534d7800-14c1-430b-85fb-dd703c2acc4d@googlegroups.com> <c8d5972d-9b11-4885-a68d-6ce1d0414718@googlegroups.com> <IGbnt.31113$LC7.15822@fx06.am4> <519d9f71$0$1591$c3e8da3$76491128@news.astraweb.com>
Date 2013-05-23 16:04 +1000
Subject Re: Newbie question about evaluating raw_input() responses
From Chris Angelico <rosuav@gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.1992.1369289058.3114.python-list@python.org> (permalink)

Show all headers | View raw

On Thu, May 23, 2013 at 2:47 PM, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> But all joking aside, eval is dangerous, yes, but it is not "evil". It
> needs to be handled with caution, but there are good uses for it. In
> fact, there are a few -- a very few -- things which can *only* be done
> with eval or exec. That's why it is part of the language!
>...
>
> So while it is right and proper to treat eval with great respect as a
> powerful (and therefore dangerous) tool, and avoid it whenever you don't
> *need* it, there is no reason to be irrational about it :-)

No need to be irrational about eval(), but I do agree that input()
should never be used. Especially now that Py3 has changed the meaning
of input(), it's potentially very confusing to call the old function;
be explicit and use eval(raw_input()) if you actually want that.

Quite apart from the extreme danger of eval'ing something tainted
(which isn't a problem if you KNOW the user's trusted - eg if you're
effectively writing an interactive interpreter for yourself), input()
is just too concealing; it's not obvious that code will be executed.

Above all, I don't want to see people advised to eval things as a
solution to simple problems. Maybe it's safe *right now*, but any
advice that solves today's problem will be used to solve tomorrow's
problem too, and tomorrow's problem will involve code going to someone
untrusted who suddenly gets full code execution.

But this is why we have a mailing list, not one-on-one advice. Kevin's
post is bound to get a follow-up, just as my posts are when I say
something incorrect. It gives that measure of extra confidence:
"Correct me if I'm wrong, but..." is implicitly prefixed to everything
:)

So Kevin, please don't get me wrong: I'm not hating on you, I'm not
wishing you hadn't posted. But I *will* speak strongly against the Py2
input() function. :)

Chris Angelico

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Newbie question about evaluating raw_input() responses "C. N. Desrosiers" <cndesrosiers@gmail.com> - 2013-05-21 23:23 -0700
  Re: Newbie question about evaluating raw_input() responses Fábio Santos <fabiosantosart@gmail.com> - 2013-05-22 07:35 +0100
    Re: Newbie question about evaluating raw_input() responses "C. N. Desrosiers" <cndesrosiers@gmail.com> - 2013-05-21 23:52 -0700
  Re: Newbie question about evaluating raw_input() responses Kevin Xi <kevin.xgr@gmail.com> - 2013-05-21 23:52 -0700
    Re: Newbie question about evaluating raw_input() responses Chris Angelico <rosuav@gmail.com> - 2013-05-22 17:19 +1000
    Re: Newbie question about evaluating raw_input() responses Alister <alister.ware@ntlworld.com> - 2013-05-22 22:31 +0000
      RE: Newbie question about evaluating raw_input() responses Carlos Nepomuceno <carlosnepomuceno@outlook.com> - 2013-05-23 01:55 +0300
      Re: Newbie question about evaluating raw_input() responses Kevin Xi <kevin.xgr@gmail.com> - 2013-05-22 18:56 -0700
      Re: Newbie question about evaluating raw_input() responses Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-05-23 04:47 +0000
        Re: Newbie question about evaluating raw_input() responses Chris Angelico <rosuav@gmail.com> - 2013-05-23 16:04 +1000
        Re: Newbie question about evaluating raw_input() responses Terry Jan Reedy <tjreedy@udel.edu> - 2013-05-23 03:11 -0400
        Re: Newbie question about evaluating raw_input() responses Chris Angelico <rosuav@gmail.com> - 2013-05-23 17:20 +1000
          Re: Newbie question about evaluating raw_input() responses Nobody <nobody@nowhere.com> - 2013-05-25 19:27 +0100
            Re: Newbie question about evaluating raw_input() responses Chris Angelico <rosuav@gmail.com> - 2013-05-26 04:33 +1000
            Re: Newbie question about evaluating raw_input() responses Fábio Santos <fabiosantosart@gmail.com> - 2013-05-25 23:11 +0100
      Re: Newbie question about evaluating raw_input() responses Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-05-23 18:51 -0400

csiph-web