« Python collections - mutable and imutable | Main | Improving the historic town of Melksham »
November 30, 2006
Python security - trouble with input
The danger of Python's input function - also known as giving away your secrets to your user.
If you're writing a Python program and asking your user for input, you should always use the raw_input function and never input. Why? Because what you type to input is interpretted through an expression and the result is saved into your target variable ... so not only does input assume that your user knows Python syntax, but it also opens some great little security holes.
Look at this program.
Something = "your toes"
Secret = "I have ten of them"
value = input("Please enter your age ")
print "You are",value,
print "and you have a secret about",Something
And look how easy it is to find out all the variables that are used inthe program, and their contents:
earth-wind-and-fire$ python dain
Please enter your age dir()
You are ['Secret', 'Something', '__builtins__', '__doc__', '__file__', '__name__'] and you have a secret about your toes
earth-wind-and-fire:$ python dain
Please enter your age Secret
You are I have ten of them and you have a secret about your toes
earth-wind-and-fire:$
First run ... find out what all the defined variables are called. Second run ... start reading those variables. Ouch!
Posted by gje at November 30, 2006 07:53 AM