This article explains and explores the vulnerability in the input() function in Python 2.x for Data Science. In python 3.x a new built in function input() is there.
Methods to input data in Python 2.x:
- input() function: This takes the value and type of input enter as it is without any modification in type.
- raw_input() function: It converts the type expicitely to string.
The examples below will make things clear.
Note: In input() function while giving string input, we have to enclose the value in double-quotes. This is not necessary in raw_input() function.
Vulnerability in input() method:
The vulnerability that lies in the input() method is that the variable accessing the value of the input is accessible to anyone just using the name of variable or method.
- Variable name as input parameter: The variable with the value of the input variable can access the value of the input variable directly.
We can see that in the second case variable “secret_number” is directly given as input, and it relates to the value of the variable. So, this is no possible in the case of raw_input() as it disallows to read the variable directly.
- Function name as parameter: Here the name of a function is given as input and values can access which were not meant to get accessed.
As in the first case, we were able to access the secret value just entering the function secretfunction().
But this is not possible in raw_input() function as the function is gets convert to a string.
Preventing Input Vulnerabilities:
To prevent vulnerabilities in input function, it is in the best of our interest that we use raw_input() in Python 2.x for Data Science. It gets convert explicitly to whatever type we want. Consider the following example.
n = int(raw_input())
This will help to prevent the malicious calling or evaluation of functions.