Never use input() in Python 2

Prev Next

Never use input() in Python 2. It is a security hazard!

examples/python/use_input.py

import os
import sys

data = input()

print "done"

Run the script.

Type in os.system("ls -l")

Can you feel the danger in that?

Not yet?

What if someone typed in os.remove(__file__)

That would remove the current python file.

What if instead of the ls -l in os.system("ls -l") someone typed in rm -rf /.

All your files would be gone before you know it.

The problem is that input(prompt) in Python 2 is the same as eval(raw_input(prompt)) which means that after reading in the content of the standard input, python will immediately try to evaluate it.

That's never a good idea. I don't know how Guido thought it would be a good idea to have this feature in the language.

Just remember:

Python 2

raw_input(prompt) and never input(prompt)

Python 3

input(prompt)

Prev Next

Written by
Gabor Szabo

Published on 2017-08-13

If you have any comments or questions, feel free to post them on the source of this page in GitHub. Source on GitHub. Comment on this post

Never use input() in Python 2

Prev Next

Python 2

Python 3

Prev Next

Author: Gabor Szabo