Does the input() function have security issues?
For your information, I am using python 3.x currently.
Yes and No.
It just takes whatever is passed in and returns it in string-form (at least on Python-3.x). What you do with that string could be unsafe though. The most prominent example for an unsafe processing of input is eval - don't use that function on the string returned from input - ever!
However it's unsafe for security related informations because what you entered is visible in the prompt (shoulder surfing)! If you want to hide it, for example for password prompts, you should use the built-in getpass module instead (or a similar library).
Related
so here's the problem:
letsSay = "!math 74*11"
l = letsSay.split("!math ")[1]
formatted = f"{l}"
print(formatted)
it outputs "74*11" instead of doing the operation, how do I make it do the operation first?
Given the form of the input string, which starts with !math, I believe you are writing a bot for an online chat room. Even if you are not, but especially if you are, do not use eval to compute the result. The eval function is dangerous, because it runs arbitrary code provided as a string; especially when that string comes from an untrusted user on an internet chat room, using eval is like giving your house key to any random stranger who asks for it. This is called remote code execution, and it is a very serious security vulnerability.
The correct solution to your problem is to use a library or API for evaluating mathematical expressions which does not execute arbitrary code as a string. See this other question for examples.
Some python-2.7 and python-3.x functions have the same name, but perform differently. Can I import use a py2.7 function in python-3.x one, by changing its name?
The motivating example is python-2.7's "print", i.e. print "TEXT" which does not use without parenthesis, compared to print("TEXT") in python 3. Can I keep the python 2 "print" by binding it to something like pr?
(By the way, the issue for me is typing and escaping the brackets. The keys ( and ) are harder to press than a space bar. Also, because my IDE puts them in automatically, I then need to move my cursor out of it.)
Note: I asked this previously, yet has been wrongly marked as a duplicate.
Again, to be clear, I'm specifically asking if I can bind a python 2 function to a new name in order to use its functionality in python-3.x.
Can I bind python-2.7's `print` in python-3.x, allowing me to use `print` without parenthesis in python-3.x?
I do not know how to contact moderators via internal message or correct this wrongful flag.
The real solution is to configure your IDE, rather than try and hack your way around those configuration problems.
That said, the Python 2 print statement with a space and no parenthesis does not exist in Python 3. While you can find ways to use the function from Python 2, the syntax cannot be used.
If your real problem is with the parentheses in print() for python 3, then no, as far as I know there's not really a solution. If it's a different function, you could always do
def funcName(arg):
return anotherFunc(arg)
or as chepner comments
funcName = anotherFunc
effectively renaming anotherFunc().
As for your IDE specific issues, there's probably a way to turn off the automatic parentheses (or you could just use the arrow keys on your keyboard) and the more you use the parentheses, the faster you'll get using them, which is probably a good thing, as they're used in basically every function you'll ever use.
Finally, it's best not to force a language to do a specific thing that it doesn't really provide for. You don't use GOTOs in Python - they're not built in for a reason. You can write them using other methods. You use parentheses in python 3 - don't try to change that! There's another reason not to alter a language in the way you're describing - it decreases the readability of your code. Everyone will know what you mean when you write
''.join(something)
but not when you write
randomFuncName(something)
and then in some obscure spot you have a function like the one described above that renames ''.join.
I am writing a command line interface in python that accepts a lot of user input. For the values that I am querying the user about, there is a significant amount of "additional information" that I could display, but would rather only display if the user needed help with how to provide a value.
So I thought I would provide my usual raw_input prompt, but also try an accept some Ctrl-H type sequences to output this help info.
Can Python accept this kind of input via raw_input in a terminal/shell? It there another more proper way to do this (preferably in the stdlib)?
No, python cannot accept this kind of input through raw_input. This is because you're thinking about sequences like: Ctrl-C, Ctrl-Z, etc. These are not keyboard inputs, these are signals that are processed by the terminal (not the program).
You can try to set up signal handlers that will do this for you, but that is not a very reliable solution (regardless of whether you're using python or something else).
The best solution for accepting this kind of input is to either use curses, or use readline (with adjustments to the configuration to handle things like Ctrl-H). Using readline will make your life much easier, but it comes with the cost that you have to license your program under the GNU GPL (or similar). Whereas curses does not have this kind of restriction.
From the Python 2to3 doc:
input:
Converts input(prompt) to eval(input(prompt))
I am currently trying to learn Python 3 after a few years working with Python 2. Can anybody please explain why the tool inserts eval before the call to input, and whether I should do so in all my Python 3 code?
python 2's old input behavior has been removed, python 3's current input was what was previously named raw_input. raw_input and python 3 input always returns a string, unlike input which tries to evaluate the input as an expression.
The 2to3 tool inserted an eval because it has no way to tell if you're relying on the old input automatically evaluating its inputs. The old input behavior is deemed a mistake because you can evaluate pretty much any valid python expression, therefore any python program that uses input() has a glaring security hole. After conversion, you should evaluate each use of eval and determine whether that part of the code are going to be receiving any untrusted user input.
You should never uses eval(input()), except perhaps in throwaway scripts. There is no way to make eval secure.
Why is print a keyword in python and not a function?
Because Guido has decided that he made a mistake. :)
It has since been corrected: try Python 3, which dedicates a section of its release notes to describing the change to a function.
For the whole background, see PEP 3105 and the several links provided in its References section!
print was a statement in Python because it was a statement in ABC, the main inspiration for Python (although it was called WRITE there). That in turn probably had a statement instead of a function as it was a teaching language and as such inspired by basic. Python on the other hand, turned out to be more than a teaching language (although it's good for that too).
However, nowadays print is a function. Yes, in Python 2 as well, you can do
from __future__ import print_function
and you are all set. Works since Python 2.6.
It is now a function in Python 3.
The print statement in Python 2.x has some special syntax which would not be available for an ordinary function. For example you can use a trailing , to suppress the output of a final newline or you can use >> to redirect the output to a file. But all this wasn't convincing enough even to Guido van Rossum himself to keep it a statement -- he turned print into a function in Python 3.x.
An answer that draws from what I appreciate about the print statement, but not necessarily from the official Python history...
Python is, to some extent, a scripting language. Now, there are lots of definitions of "scripting language", but the one I'll use here is: a language designed for efficient use of short or interactive programs. Such languages tend to allow one-line programs without excessive boilerplate; make keyboard input easier (for instance, by avoiding excessive punctuation); and provide built-in syntax for common tasks (convenience at the possible expense of purity). In Python's case, printing a value is a very common thing to do, especially in interactive mode. Requiring print to be a function seems unnecessarily inconvenient here. There's a significantly lower risk of error with the special syntax that does the right thing 99% of the time.
I will throw in my thoughts on this:
In Python 2.x print is not a statement by mistake, or because printing to stdout is such a basic thing to do. Everything else is so thought-through or has at least understandable reasons that a mistake of that order would seem odd. If communicating with stdout would have been cosidered so basic, communicating with stdin would have to be just as important, yet input() is a function.
If you look at the list of reserved keywords and the list of statements which are not expressions, print clearly stands out which is another hint that there must be very specific reasons.
I think print had to be a statement and not an expression, to avoid a security breach in input(). Remember that input() in Python2 evaluates whatever the user types into stdin. If the user typed print a and a holds a list of all passwords, that would be quiet catastrophic.
Apparently, the ability of input() to evaluate expressions was considered more important than print being a normal built-in function.