Path: csiph.com!usenet.pasdenom.info!aioe.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.024
X-Spam-Evidence: '*H*': 0.95; '*S*': 0.00; 'interpreter': 0.05; 'explicit': 0.07; 'suddenly': 0.07; 'tool,': 0.07; 'advice.': 0.09; 'measure': 0.09; 'used.': 0.09; 'wrong,': 0.09; 'subject:question': 0.10; '*only*': 0.16; '23,': 0.16; 'dangerous,': 0.16; 'executed.': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'function;': 0.16; 'posted.': 0.16; 'prefixed': 0.16; "tomorrow's": 0.16; ':-)': 0.16; 'wrote:': 0.18; 'all,': 0.19; 'thu,': 0.19; 'posts': 0.26; 'post': 0.26; 'gets': 0.27; 'header:In-Reply-To:1': 0.27; 'chris': 0.29; 'strongly': 0.30; 'especially': 0.30; 'message- id:@mail.gmail.com': 0.30; "i'm": 0.30; '(which': 0.31; 'gives': 0.31; 'code': 0.31; 'that.': 0.31; "d'aprano": 0.31; 'steven': 0.31; "user's": 0.31; 'handled': 0.32; 'quite': 0.32; 'maybe': 0.34; 'problem': 0.35; 'advice': 0.35; 'agree': 0.35; 'something': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'done': 0.36; 'should': 0.36; 'too': 0.37; 'to:addr:python-list': 0.38; 'list,': 0.38; 'pm,': 0.38; 'to:addr:python.org': 0.39; 'changed': 0.39; 'mailing': 0.39; 'problems.': 0.60; 'solve': 0.60; 'full': 0.61; 'simple': 0.61; "you're": 0.61; 'great': 0.65; 'effectively': 0.66; 'fact,': 0.69; 'respect': 0.70; "today's": 0.70; 'safe': 0.72; 'therefore': 0.72; 'apart': 0.72; 'obvious': 0.74; 'potentially': 0.81; 'confusing': 0.84; 'execution.': 0.84; 'language!': 0.84; 'one-on-one': 0.84; 'wishing': 0.93; '2013': 0.98
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=OESh+LturR7ta3Cq3Qbjp7pCAaQuOsv5JhPahYCVRRI=; b=owsAVgyAbzf3aZ0q8gkaoewL0p2rdpbiyeL8u7EYUnJBCy8B8fsZfEVOb4pehPuLZe WbDdIx6yAD9hMBNO7p1PsF6idRqT4PXuYP+se6ozrx/UL4Kbwl/NgGDHcEWc4zj11ym0 LI+LMZSw0eiOESrFYC51XMeIOr2WNx9Sm0KKVcLHxUOOzoFUEFfGXqFNte/wYeBW1Trq 2dPJwb7F+2gzlM8LctX5W8Ru8Rs6Q5uED3VNXdLHHG/c7YwxtK4pXFgBqXceZ6//J1LV 7PZFWzj0kBicfgMoAw6hFRd5bNFMkpk68G7pOG/WBHXHIGNLU6uqipnEnfXs2XMU/UNC +R2Q==
MIME-Version: 1.0
X-Received: by 10.52.175.200 with SMTP id cc8mr3625090vdc.94.1369289049847; Wed, 22 May 2013 23:04:09 -0700 (PDT)
In-Reply-To: <519d9f71$0$1591$c3e8da3$76491128@news.astraweb.com>
References: <534d7800-14c1-430b-85fb-dd703c2acc4d@googlegroups.com> <c8d5972d-9b11-4885-a68d-6ce1d0414718@googlegroups.com> <IGbnt.31113$LC7.15822@fx06.am4> <519d9f71$0$1591$c3e8da3$76491128@news.astraweb.com>
Date: Thu, 23 May 2013 16:04:09 +1000
Subject: Re: Newbie question about evaluating raw_input() responses
From: Chris Angelico <rosuav@gmail.com>
To: python-list@python.org
Content-Type: text/plain; charset=ISO-8859-1
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.1992.1369289058.3114.python-list@python.org>
Lines: 39
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1369289058 news.xs4all.nl 15974 [2001:888:2000:d::a6]:49381
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:45774

On Thu, May 23, 2013 at 2:47 PM, Steven D'Aprano
<steve+comp.lang.python@pearwood.info> wrote:
> But all joking aside, eval is dangerous, yes, but it is not "evil". It
> needs to be handled with caution, but there are good uses for it. In
> fact, there are a few -- a very few -- things which can *only* be done
> with eval or exec. That's why it is part of the language!
>...
>
> So while it is right and proper to treat eval with great respect as a
> powerful (and therefore dangerous) tool, and avoid it whenever you don't
> *need* it, there is no reason to be irrational about it :-)

No need to be irrational about eval(), but I do agree that input()
should never be used. Especially now that Py3 has changed the meaning
of input(), it's potentially very confusing to call the old function;
be explicit and use eval(raw_input()) if you actually want that.

Quite apart from the extreme danger of eval'ing something tainted
(which isn't a problem if you KNOW the user's trusted - eg if you're
effectively writing an interactive interpreter for yourself), input()
is just too concealing; it's not obvious that code will be executed.

Above all, I don't want to see people advised to eval things as a
solution to simple problems. Maybe it's safe *right now*, but any
advice that solves today's problem will be used to solve tomorrow's
problem too, and tomorrow's problem will involve code going to someone
untrusted who suddenly gets full code execution.

But this is why we have a mailing list, not one-on-one advice. Kevin's
post is bound to get a follow-up, just as my posts are when I say
something incorrect. It gives that measure of extra confidence:
"Correct me if I'm wrong, but..." is implicitly prefixed to everything
:)

So Kevin, please don't get me wrong: I'm not hating on you, I'm not
wishing you hadn't posted. But I *will* speak strongly against the Py2
input() function. :)

Chris Angelico