1

I'm wondering how to use a string from raw_input safely so that I can create a function to replace it for a script that is meant to be used easily and securely.

The reason is that I am trying to make a character sheet generating application using python and need to be able to get a character's full name to pass as a string using a name for easy access (Charname_NLB)

However, as I'm looking to use this for more than that application, I need this to be usable for any string entered as raw input, using this alternate command.

I already have a similar piece made for input of integers and would like to integrate it into the same class, for simplicity's sake. I'll post it here, with thanks to: Mgilson and BlueKitties (from here and www.python-forum.org respectively)

    def safeinput(get_num):
            num = float(raw_input(get_num))
            return num

However if this would not return the same result as the base Input command safely, could I please get an working copy, as I currently have only one proof of concept to work with, and it wouldn't be accurate with truncated numbers.

**Edit: By "Any string", I mean specifically that the result will be stored as a string, not used as a command.

Community
  • 1
  • 1
user1524705
  • 63
  • 1
  • 5
  • 5
    good day. what is your question? – Dmitry Zagorulkin Aug 24 '12 at 05:42
  • When you say "any string"- are you including executable Python code? Or only literals like ints, floats, lists, strings... – David Robinson Aug 24 '12 at 05:46
  • if you want enter executable python code you may use 'input()' instead 'raw_input()' – Dmitry Zagorulkin Aug 24 '12 at 05:50
  • Zagorulkin: But that wouldn't be safe. I think the idea is to use `eval` on the input string, but prevent any malicious behavior. (Like I said, this would be possible if he just wants literals to be input, but if he actually wants to be able to provide Python code...) – David Robinson Aug 24 '12 at 05:54
  • delete sys.path and execute in a sandbox? (like here: http://stackoverflow.com/questions/4558104/python-evalcompile-sandbox-globals-go-in-sandbox-unless-in-def-why) – unddoch Aug 24 '12 at 06:13
  • Okay, this question may have been pointless if raw_input() is safe by default. If it is, I certainly have been wasting my time. – user1524705 Sep 06 '12 at 05:26

1 Answers1

3

Not sure if this is what you are asking for. literal_eval is safe, but only works for literals. It's very difficult to use eval() safely if you have to sanitise the input

>>> from ast import literal_eval
>>> def safeinput(s):
...     try:
...         return literal_eval(s)
...     except:
...         return s
... 
>>> repr(safeinput("1"))
'1'                                            # converted to an int
>>> repr(safeinput("1.1"))
'1.1'                                          # converted to a float
>>> repr(safeinput("'some string in quotes'"))
"'some string in quotes'"                      # converted to a string
>>> repr(safeinput("some string without quotes"))
"'some string without quotes'"                 # no conversion necessary
John La Rooy
  • 295,403
  • 53
  • 369
  • 502