Python security - trouble with input
Archive - Originally posted on "The Horse's Mouth" - 2006-11-30 07:53:25 - Graham EllisThe danger of Python's input function - also known as giving away your secrets to your user.
If you're writing a Python program and asking your user for input, you should always use the raw_input function and never input. Why? Because what you type to input is interpretted through an expression and the result is saved into your target variable ... so not only does input assume that your user knows Python syntax, but it also opens some great little security holes.
Look at this program.
Something = "your toes"
Secret = "I have ten of them"
value = input("Please enter your age ")
print "You are",value,
print "and you have a secret about",SomethingAnd look how easy it is to find out all the variables that are used inthe program, and their contents:
earth-wind-and-fire$ python dain
Please enter your age dir()
You are ['Secret', 'Something', '__builtins__', '__doc__', '__file__', '__name__'] and you have a secret about your toes
earth-wind-and-fire:$ python dain
Please enter your age Secret
You are I have ten of them and you have a secret about your toes
earth-wind-and-fire:$First run ... find out what all the defined variables are called. Second run ... start reading those variables. Ouch!