Is it ever useful to use Python's input over raw_input?
Question:
I currently teach first year university students python, and I was surprised to learn that the seemingly innocuous input function, that some of my students had decided to use (and were confused by the odd behaviour), was hiding a call to eval behind it.
So my question is, why does the input function call eval, and what would this ever be useful for that it wouldn’t be safer to do with raw_input? I understand that this has been changed in Python 3, but it seems like an unusual design decision in the first place.
Answers:
input is pretty much only useful as a building block for an interactive python shell. You’re certainly right that it’s surprising it works the way it does, and is rather too purpose-specific to be a builtin – which I presume is why it got removed from Python 3.
Python Input function returns an object that’s the result
of evaluating the expression.
raw_input function returns a string
name = "Arthur"
age = 45
first = raw_input("Please enter your age ")
second = input("Please enter your age again ")
# first will always contain a string
# second could contain any object and you can even
# type in a calculation and use "name" and "age" as
# you enter it at run time ...
print "You said you are",first
print "Then you said you are",second
examples of that running:
Example: 1
Prompt$ python yraw
Please enter your age 45
Please enter your age again 45
You said you are 45 Then you said you are 45
Example: 2
Prompt$ python yraw
Please enter your age 45 + 7
Please enter your age again 45 + 7
You said you are 45 + 7 Then you said you are 52
Prompt$
Q. why does the input function call eval?
A. Consider the scenario where user inputs an expression ’45 + 7′ in input, input will give correct result as compared to raw_input in python 2.x
Is it ever useful to use Python 2’s input over raw_input?
No.
input() evaluates the code the user gives it. It puts the full power of Python in the hands of the user. With generator expressions/list comprehensions, __import__, and the if/else operators, literally anything Python can do can be achieved with a single expression. Malicious users can use input() to remove files (__import__('os').remove('precious_file')), monkeypatch the rest of the program (setattr(__import__('__main__'), 'function', lambda:42)), … anything.
A normal user won’t need to use all the advanced functionality. If you don’t need expressions, use ast.literal_eval(raw_input()) – the literal_eval function is safe.
If you’re writing for advanced users, give them a better way to input code. Plugins, user modules, etc. – something with the full Python syntax, not just the functionality.
If you’re absolutely sure you know what you’re doing, say eval(raw_input()). The eval screams “I’m dangerous!” to the trained eye. But, odds are you won’t ever need this.
input() was one of the old design mistakes that Python 3 is solving.
raw_input is better, It always returns the input of the user without changes.
Conversely The input() function will try to convert things you enter as if they were Python code, and it has security problems so you should avoid it.
In real program don’t use input(), Parse your input with something that handles the specific input format you’re expecting, not by evaluating the input as Python code.
I currently teach first year university students python, and I was surprised to learn that the seemingly innocuous input function, that some of my students had decided to use (and were confused by the odd behaviour), was hiding a call to eval behind it.
So my question is, why does the input function call eval, and what would this ever be useful for that it wouldn’t be safer to do with raw_input? I understand that this has been changed in Python 3, but it seems like an unusual design decision in the first place.
input is pretty much only useful as a building block for an interactive python shell. You’re certainly right that it’s surprising it works the way it does, and is rather too purpose-specific to be a builtin – which I presume is why it got removed from Python 3.
Python Input function returns an object that’s the result
of evaluating the expression.
raw_input function returns a string
name = "Arthur"
age = 45
first = raw_input("Please enter your age ")
second = input("Please enter your age again ")
# first will always contain a string
# second could contain any object and you can even
# type in a calculation and use "name" and "age" as
# you enter it at run time ...
print "You said you are",first
print "Then you said you are",second
examples of that running:
Example: 1
Prompt$ python yraw
Please enter your age 45
Please enter your age again 45
You said you are 45 Then you said you are 45
Example: 2
Prompt$ python yraw
Please enter your age 45 + 7
Please enter your age again 45 + 7
You said you are 45 + 7 Then you said you are 52
Prompt$
Q. why does the input function call eval?
A. Consider the scenario where user inputs an expression ’45 + 7′ in input, input will give correct result as compared to raw_input in python 2.x
Is it ever useful to use Python 2’s input over raw_input?
No.
input() evaluates the code the user gives it. It puts the full power of Python in the hands of the user. With generator expressions/list comprehensions, __import__, and the if/else operators, literally anything Python can do can be achieved with a single expression. Malicious users can use input() to remove files (__import__('os').remove('precious_file')), monkeypatch the rest of the program (setattr(__import__('__main__'), 'function', lambda:42)), … anything.
A normal user won’t need to use all the advanced functionality. If you don’t need expressions, use ast.literal_eval(raw_input()) – the literal_eval function is safe.
If you’re writing for advanced users, give them a better way to input code. Plugins, user modules, etc. – something with the full Python syntax, not just the functionality.
If you’re absolutely sure you know what you’re doing, say eval(raw_input()). The eval screams “I’m dangerous!” to the trained eye. But, odds are you won’t ever need this.
input() was one of the old design mistakes that Python 3 is solving.
raw_input is better, It always returns the input of the user without changes.
Conversely The input() function will try to convert things you enter as if they were Python code, and it has security problems so you should avoid it.
In real program don’t use input(), Parse your input with something that handles the specific input format you’re expecting, not by evaluating the input as Python code.