I currently teach first year university students python, and I was surprised to learn that the seemingly innocuous input function, that some of my students had decided to use (and were confused by the odd behaviour), was hiding a call to eval behind it.
我目前教大学一年级学生python,我很惊讶地发现,我的一些学生决定使用(并且被奇怪的行为搞糊涂)看似无害的输入功能,正在隐藏对它后面的eval的调用。
So my question is, why does the input function call eval, and what would this ever be useful for that it wouldn't be safer to do with raw_input? I understand that this has been changed in Python 3, but it seems like an unusual design decision in the first place.
所以我的问题是,为什么输入函数调用eval,这对于使用raw_input更安全的东西有什么用?据我所知,这在Python 3中有所改变,但它首先似乎是一个不寻常的设计决定。
Python 2.x input function documentation
Python 2.x输入函数文档
4 个解决方案
#1
34
Is it ever useful to use Python 2's input over raw_input?
在raw_input上使用Python 2的输入是否有用?
No.
input() evaluates the code the user gives it. It puts the full power of Python in the hands of the user. With generator expressions/list comprehensions, __import__, and the if/else operators, literally anything Python can do can be achieved with a single expression. Malicious users can use input() to remove files (__import__('os').remove('precious_file')), monkeypatch the rest of the program (setattr(__import__('__main__'), 'function', lambda:42)), ... anything.
input()计算用户给出的代码。它将Python的全部功能掌握在用户手中。使用生成器表达式/列表推导,__ import__和if / else运算符,几乎可以用单个表达式实现Python所能做的任何事情。恶意用户可以使用input()删除文件(__import __('os')。remove('precious_file')),monkeypatch程序的其余部分(setattr(__ import __('__ main__'),'function',lambda:42) ),......任何事情。
A normal user won't need to use all the advanced functionality. If you don't need expressions, use ast.literal_eval(raw_input()) – the literal_eval function is safe.
普通用户不需要使用所有高级功能。如果您不需要表达式,请使用ast.literal_eval(raw_input()) - literal_eval函数是安全的。
If you're writing for advanced users, give them a better way to input code. Plugins, user modules, etc. – something with the full Python syntax, not just the functionality.
如果您是为高级用户编写的,请为他们提供更好的输入代码的方法。插件,用户模块等 - 具有完整Python语法的东西,而不仅仅是功能。
If you're absolutely sure you know what you're doing, say eval(raw_input()). The eval screams "I'm dangerous!" to the trained eye. But, odds are you won't ever need this.
如果你完全确定你知道自己在做什么,请说eval(raw_input())。 eval尖叫着“我很危险!”受过训练的眼睛。但是,你很可能不会需要这个。
input() was one of the old design mistakes that Python 3 is solving.
input()是Python 3正在解决的旧设计错误之一。
#2
7
Python Input function returns an object that's the result of evaluating the expression. raw_input function returns a string
Python Input函数返回一个对象,该对象是评估表达式的结果。 raw_input函数返回一个字符串
name = "Arthur"
age = 45
first = raw_input("Please enter your age ")
second = input("Please enter your age again ")
# first will always contain a string
# second could contain any object and you can even
# type in a calculation and use "name" and "age" as
# you enter it at run time ...
print "You said you are",first
print "Then you said you are",second
examples of that running:
运行的例子:
Example: 1
Prompt$ python yraw
Please enter your age 45
Please enter your age again 45
You said you are 45 Then you said you are 45
Example: 2
Prompt$ python yraw
Please enter your age 45 + 7
Please enter your age again 45 + 7
You said you are 45 + 7 Then you said you are 52
Prompt$
Q. why does the input function call eval?
问:为什么输入函数调用eval?
A. Consider the scenario where user inputs an expression '45 + 7' in input, input will give correct result as compared to raw_input in python 2.x
A.考虑用户在输入中输入表达式'45 + 7'的情况,与python 2.x中的raw_input相比,输入将给出正确的结果
#3
4
input is pretty much only useful as a building block for an interactive python shell. You're certainly right that it's surprising it works the way it does, and is rather too purpose-specific to be a builtin - which I presume is why it got removed from Python 3.
输入几乎只用作交互式python shell的构建块。你肯定是对的,它的工作方式令人惊讶,并且它的内容非常特定 - 我认为它是从Python 3中删除的原因。
#4
1
raw_input is better, It always returns the input of the user without changes. Conversely The input() function will try to convert things you enter as if they were Python code, and it has security problems so you should avoid it.
raw_input更好,它总是返回用户的输入而不做任何更改。相反,input()函数会尝试将您输入的内容转换为Python代码,并且存在安全问题,因此您应该避免使用它。
In real program don't use input(), Parse your input with something that handles the specific input format you're expecting, not by evaluating the input as Python code.
在实际程序中,不要使用input(),使用处理您期望的特定输入格式的内容来解析输入,而不是将输入作为Python代码进行评估。
#1
34
Is it ever useful to use Python 2's input over raw_input?
在raw_input上使用Python 2的输入是否有用?
No.
input() evaluates the code the user gives it. It puts the full power of Python in the hands of the user. With generator expressions/list comprehensions, __import__, and the if/else operators, literally anything Python can do can be achieved with a single expression. Malicious users can use input() to remove files (__import__('os').remove('precious_file')), monkeypatch the rest of the program (setattr(__import__('__main__'), 'function', lambda:42)), ... anything.
input()计算用户给出的代码。它将Python的全部功能掌握在用户手中。使用生成器表达式/列表推导,__ import__和if / else运算符,几乎可以用单个表达式实现Python所能做的任何事情。恶意用户可以使用input()删除文件(__import __('os')。remove('precious_file')),monkeypatch程序的其余部分(setattr(__ import __('__ main__'),'function',lambda:42) ),......任何事情。
A normal user won't need to use all the advanced functionality. If you don't need expressions, use ast.literal_eval(raw_input()) – the literal_eval function is safe.
普通用户不需要使用所有高级功能。如果您不需要表达式,请使用ast.literal_eval(raw_input()) - literal_eval函数是安全的。
If you're writing for advanced users, give them a better way to input code. Plugins, user modules, etc. – something with the full Python syntax, not just the functionality.
如果您是为高级用户编写的,请为他们提供更好的输入代码的方法。插件,用户模块等 - 具有完整Python语法的东西,而不仅仅是功能。
If you're absolutely sure you know what you're doing, say eval(raw_input()). The eval screams "I'm dangerous!" to the trained eye. But, odds are you won't ever need this.
如果你完全确定你知道自己在做什么,请说eval(raw_input())。 eval尖叫着“我很危险!”受过训练的眼睛。但是,你很可能不会需要这个。
input() was one of the old design mistakes that Python 3 is solving.
input()是Python 3正在解决的旧设计错误之一。
#2
7
Python Input function returns an object that's the result of evaluating the expression. raw_input function returns a string
Python Input函数返回一个对象,该对象是评估表达式的结果。 raw_input函数返回一个字符串
name = "Arthur"
age = 45
first = raw_input("Please enter your age ")
second = input("Please enter your age again ")
# first will always contain a string
# second could contain any object and you can even
# type in a calculation and use "name" and "age" as
# you enter it at run time ...
print "You said you are",first
print "Then you said you are",second
examples of that running:
运行的例子:
Example: 1
Prompt$ python yraw
Please enter your age 45
Please enter your age again 45
You said you are 45 Then you said you are 45
Example: 2
Prompt$ python yraw
Please enter your age 45 + 7
Please enter your age again 45 + 7
You said you are 45 + 7 Then you said you are 52
Prompt$
Q. why does the input function call eval?
问:为什么输入函数调用eval?
A. Consider the scenario where user inputs an expression '45 + 7' in input, input will give correct result as compared to raw_input in python 2.x
A.考虑用户在输入中输入表达式'45 + 7'的情况,与python 2.x中的raw_input相比,输入将给出正确的结果
#3
4
input is pretty much only useful as a building block for an interactive python shell. You're certainly right that it's surprising it works the way it does, and is rather too purpose-specific to be a builtin - which I presume is why it got removed from Python 3.
输入几乎只用作交互式python shell的构建块。你肯定是对的,它的工作方式令人惊讶,并且它的内容非常特定 - 我认为它是从Python 3中删除的原因。
#4
1
raw_input is better, It always returns the input of the user without changes. Conversely The input() function will try to convert things you enter as if they were Python code, and it has security problems so you should avoid it.
raw_input更好,它总是返回用户的输入而不做任何更改。相反,input()函数会尝试将您输入的内容转换为Python代码,并且存在安全问题,因此您应该避免使用它。
In real program don't use input(), Parse your input with something that handles the specific input format you're expecting, not by evaluating the input as Python code.
在实际程序中,不要使用input(),使用处理您期望的特定输入格式的内容来解析输入,而不是将输入作为Python代码进行评估。