The purpose of this article is — explain and investigate the vulnerability in the input () function in Python 2.x. In Python 3, the raw_input () function has been deprecated and its functionality has been moved to a new built-in function known as input ().
Methods for inputting data in Python 2.x strong>
There are two common methods for getting input in Python 2.x:
Let's use the following program to tell the difference between the two:
Input data: p >
Hello 456 [1,2,3] 45 "goodbye" [1,2,3]
Enter input to test raw_input () function: & lt ; type 'str' & gt; Enter input to test raw_input () function: & lt; type 'str' & gt; Enter input to test raw_input () function: & lt; type 'str' & gt; Enter input to test input () function: & lt; type ' int ' & gt; Enter input totest input () function: & lt; type ' str ' & gt; Enter input to test input () function: & lt; type ' list ' & gt;
Note: When entering a string into the input () function, we must enclose the value in double quotes. This is not required in raw_input ()
Vulnerability in input ()
Vulnerability in input () is that a variable accessing the value of input can be accessed by anyone simply by using the name of the variable or method. Let's look at this one at a time:
Pick a number between 1 to 500 Guess the number: You lose Guess the number:
Pick a number between 1 to 500 Guess the number: You win
As you can see, in the second case the variable "secret_number" can be given directly as input, and the answer is always "you won". It evaluates the variable as if the number were directly entered, which means it always returns True Boolean. Using raw_input, this would not be possible, since it prevents the variable from being read directly.
400 secretfunction ()
Raw_input (): Guess secret number: w rong answer Input (): Guess the secret number: You guessed correct
In this set of I / O we can see that when we use raw_input, we must be sure to enter the correct number. However, using the input () function, we can even specify the name of a function or variable, and the compiler will evaluate that.
Here, for example, the input to the input () function was specified as the function name secretfunction (). The compiler evaluates this function call and returns the secret number we want to find, and therefore our if condition evaluates to true even if we did not enter the secret number
secretfunction () secret_value
Raw_input (): Guess secret number: wrong answer Input (): Guess the secret number: You guessed correct
How explained in the first paragraph, in this example we were also able to simply enter the variable name "secret_number" into the input function for the "input ()" function and access the secret value.
However, when trying to call secretfunction () on the input to raw_input (), it gives us false because the compiler converts our argument to a string, and does not evaluate it as a function call.
Preventing Input Vulnerabilities
It's always best to use raw_input () in python 2.x and then explicitly convert the input to whatever type we want needed. For example, if we want to receive an integer input, we can do the following
n = int (raw_input ())
This prevents malicious calling or function evaluation.
This article contributed by Deepak Srivatsav . If you are as Python.Engineering and would like to contribute, you can also write an article using contribute.python.engineering or by posting an article contribute @ python.engineering. See my article appearing on the Python.Engineering homepage and help other geeks.
Please post comments if you find anything wrong or if you would like to share more information on the topic discussed above.