Michael Sparks wrote: > Tiger12506, > > > You are COMPLETELY missing the point. The __following__ code > > >>>>> foo = raw_input(...) >>>>> x = eval(foo) >>>>> > > ONLY works if the user has console access to the machine. > > If they have console access to the machine > AND you're worried about them damaging it > THEN an eval(raw_input( ...)) construct is the least of your worries. > > I'm not referring to text taken from > * a network connection > * a file > * a web form > * a P2P network > > I was JUST referring to the ONE context of immediately eval'ing user input. > (an unlikely one at that) >
No, I think you're missing the point. If the program was not interacting with the user through the console, then why would you be using raw_input()? raw_input() is used to get user input from the controlling terminal. Am I missing some other use for raw_input()? Using eval() on untrusted input of any kind is a security risk. Reading the rest of your email, I get the feeling that what you're saying is: if a user has access to "the console", then using eval( raw_input() ) is the least of your worries because the person can do anything they want. Is that your assertion? If it is, then it's an invalid argument. raw_input() is not only useful on "the console", it can be used to interact with any terminal and can be done securely so that exiting the program is either impossible, or restarts the program or else simply disconnects from the terminal and leaves the user with no access at all. The only thing I can imagine is that you're stuck in some DOS mindset that if you're able to type into "the console" then you have ultimate access to the machine, which is not the case when using a true multi-user operating system like *nix or VMS. But, most strange to me is why you're this fired up over such a simple issue. It seems to me like just a misunderstanding. _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
