Never use input() in Python 2

input raw_input

Never use input() in Python 2. It is a security hazard!

examples/python/use_input.py

import os
import sys

data = input()

print "done"

Run the script.

Type in os.system("ls -l")

Can you feel the danger in that?

Not yet?

What if someone typed in os.remove(__file__)

That would remove the current python file.

What if instead of the ls -l in os.system("ls -l") someone typed in rm -rf /.

All your files would be gone before you know it.

The problem is that input(prompt) in Python 2 is the same as eval(raw_input(prompt)) which means that after reading in the content of the standard input, python will immediately try to evaluate it.

That's never a good idea. I don't know how Guido thought it would be a good idea to have this feature in the language.

Just remember:

Python 2

raw_input(prompt) and never input(prompt)

Python 3

input(prompt)

Related Pages

Python

Author

Gabor Szabo (szabgab)

Gabor Szabo, the author of the Python Maven web site.

Gabor Szabo