On Fri, Nov 21, 2014, at 05:33, alister wrote: > the problem with input is code-injection which is very similar to sql > injection (httpd://xkcd.com/327). > > the data entered by the user is processed as if it was python code, this > means the user could enter a command (or sequence of commands) that cause > serious problems to you computer including but not limited to:-
Except standard input for interactive programs is rarely across a privilege boundary. The user can accomplish any of these far more easily by entering a command into their shell. (Well, more easily depending on which is better able to use the API for their central heating, but the others certainly). There are good reasons to avoid it (user is likely to be surprised by weird error messages, causing a crash due to a typo), but this kind of paranoia is the same as has people in some circles refusing to use strlcpy or fgets because they can cause silent truncation. -- https://mail.python.org/mailman/listinfo/python-list