From the Python 2to3 doc:
input:
Converts input(prompt) to eval(input(prompt))
I am currently trying to learn Python 3 after a few years working with Python 2. Can anybody please explain why the tool inserts eval before the call to input, and whether I should do so in all my Python 3 code?
python 2's old input behavior has been removed, python 3's current input was what was previously named raw_input. raw_input and python 3 input always returns a string, unlike input which tries to evaluate the input as an expression.
The 2to3 tool inserted an eval because it has no way to tell if you're relying on the old input automatically evaluating its inputs. The old input behavior is deemed a mistake because you can evaluate pretty much any valid python expression, therefore any python program that uses input() has a glaring security hole. After conversion, you should evaluate each use of eval and determine whether that part of the code are going to be receiving any untrusted user input.
You should never uses eval(input()), except perhaps in throwaway scripts. There is no way to make eval secure.
Related
so here's the problem:
letsSay = "!math 74*11"
l = letsSay.split("!math ")[1]
formatted = f"{l}"
print(formatted)
it outputs "74*11" instead of doing the operation, how do I make it do the operation first?
Given the form of the input string, which starts with !math, I believe you are writing a bot for an online chat room. Even if you are not, but especially if you are, do not use eval to compute the result. The eval function is dangerous, because it runs arbitrary code provided as a string; especially when that string comes from an untrusted user on an internet chat room, using eval is like giving your house key to any random stranger who asks for it. This is called remote code execution, and it is a very serious security vulnerability.
The correct solution to your problem is to use a library or API for evaluating mathematical expressions which does not execute arbitrary code as a string. See this other question for examples.
Does the input() function have security issues?
For your information, I am using python 3.x currently.
Yes and No.
It just takes whatever is passed in and returns it in string-form (at least on Python-3.x). What you do with that string could be unsafe though. The most prominent example for an unsafe processing of input is eval - don't use that function on the string returned from input - ever!
However it's unsafe for security related informations because what you entered is visible in the prompt (shoulder surfing)! If you want to hide it, for example for password prompts, you should use the built-in getpass module instead (or a similar library).
I am experimenting with writing more forgiving/ flexible functions and would like to know if it is possible to access the input arguments of a function as strings, before Python checks for syntax errors, NameErrors, etc, (for the purposes of doing my own input checking first)?
No. What you are looking for is sophisticated macro functionality. You can do this in Lisp, but Python (like most languages) does not support it.
If you want, you can preprocess a file and parse it using the ast module. But you would have to do this as a separate step, before you run your Python script.
I am trying to do some work on 2-SAT and 3-SAT for an assignment and I was allowed to search the web for the implementation of the program. I came across 2 programs in Python that basically I can run and they enable me to continue with my assignment. However I can't get the output from one program to feed the other one:
The code here: http://goo.gl/6fdlq should provide input for the code here: http://goo.gl/rdfyR
which is what the instructions say:
Problem generator in Python -
Generates either C syntax expressions
or the input to... Fully functional
GSAT solver in Python - takes input
from the above and attempts to satisfy
it, while generating a log of the
output intended to be instructional to
those unfamiliar with the GSAT
algorithm.
Anyone could please tell me how to do this?
What you want to do is pipe the output from the first script into the second.
Since the scripts seem to be named 3sat.py and gsat.py respectively, just cd into the directory where they're located and run:
./3sat.py | ./gsat.py
or, equivalently:
python 3sat.py | python gsat.py
Why is print a keyword in python and not a function?
Because Guido has decided that he made a mistake. :)
It has since been corrected: try Python 3, which dedicates a section of its release notes to describing the change to a function.
For the whole background, see PEP 3105 and the several links provided in its References section!
print was a statement in Python because it was a statement in ABC, the main inspiration for Python (although it was called WRITE there). That in turn probably had a statement instead of a function as it was a teaching language and as such inspired by basic. Python on the other hand, turned out to be more than a teaching language (although it's good for that too).
However, nowadays print is a function. Yes, in Python 2 as well, you can do
from __future__ import print_function
and you are all set. Works since Python 2.6.
It is now a function in Python 3.
The print statement in Python 2.x has some special syntax which would not be available for an ordinary function. For example you can use a trailing , to suppress the output of a final newline or you can use >> to redirect the output to a file. But all this wasn't convincing enough even to Guido van Rossum himself to keep it a statement -- he turned print into a function in Python 3.x.
An answer that draws from what I appreciate about the print statement, but not necessarily from the official Python history...
Python is, to some extent, a scripting language. Now, there are lots of definitions of "scripting language", but the one I'll use here is: a language designed for efficient use of short or interactive programs. Such languages tend to allow one-line programs without excessive boilerplate; make keyboard input easier (for instance, by avoiding excessive punctuation); and provide built-in syntax for common tasks (convenience at the possible expense of purity). In Python's case, printing a value is a very common thing to do, especially in interactive mode. Requiring print to be a function seems unnecessarily inconvenient here. There's a significantly lower risk of error with the special syntax that does the right thing 99% of the time.
I will throw in my thoughts on this:
In Python 2.x print is not a statement by mistake, or because printing to stdout is such a basic thing to do. Everything else is so thought-through or has at least understandable reasons that a mistake of that order would seem odd. If communicating with stdout would have been cosidered so basic, communicating with stdin would have to be just as important, yet input() is a function.
If you look at the list of reserved keywords and the list of statements which are not expressions, print clearly stands out which is another hint that there must be very specific reasons.
I think print had to be a statement and not an expression, to avoid a security breach in input(). Remember that input() in Python2 evaluates whatever the user types into stdin. If the user typed print a and a holds a list of all passwords, that would be quiet catastrophic.
Apparently, the ability of input() to evaluate expressions was considered more important than print being a normal built-in function.