Friday, April 6, 2012

Input in Python

Recently, I have been exploring a lot of Python programming language.I came across this prime security concern in Python.
There are basically two ways of taking input from the user . The input() and the raw_input() functions.

For Ex :

var foo = input( " Enter the number")
var foo_raw = raw_input("Enter the Number")

Both of the functions accept input from the user. But, raw_input() should always be preferred over input().

What the Heck is the difference between raw_input() and input() in Python ?

raw_input() is considered to be safe to use as it takes the parameters entered by user as a string whereas input() takes the parameters entered as a command. input() is harmful as a user can easily harm or hack the program behavior by providing parameters such as "eval" which are executed as command by input().Thus it is considered safe and reliable to always use raw_input() for taking input from the user in Python. 


For ex :

var foo = input("Enter ")  # input eval , eval command is executed "Unsafe" "Harmful" 

var foo_raw = raw_input("Enter") # input eval , it is interpreted as a string "Harmless"

Note : In Python 3.x , input() also returns string .

1 comment:

Anonymous said...

What you say is true for Python 2.x. For Python 3.x input functions as raw_input did.