Vulnerability in input() function – Python 2.x
Last Updated :
29 Mar, 2024
This article aims to explain and explore the vulnerability in the input() function in Python 2.x. In Python 3, the raw_input() function was erased, and its functionality was transferred to a new built-in function known as input().
Different Ways to Input Data in Python 2.x
There are two common methods to receive input in Python 2.x:
- input() function: This function takes the value and type of the input you enter as it is without modifying any type.
- raw_input() function: This function explicitly converts the input you give to type string,
Let us use the following program to determine the difference between the two:
Python
# Python 2.x program to show differences between
# input() and rawinput()function
s1 = raw_input("Enter input to test raw_input() function: ")
print type(s1)
s2 = raw_input("Enter input to test raw_input() function: ")
print type(s2)
s3 = raw_input("Enter input to test raw_input() function: ")
print type(s3)
# 3 inputs using input() function,
s4 = input("Enter input to test input() function: ")
print type(s4)
s5 = input("Enter input to test input() function: ")
print type(s5)
s6 = input("Enter input to test input() function: ")
print type(s6)
Input:
Hello
456
[1,2,3]
45
"goodbye"
[1,2,3]
Output:
Enter input to test raw_input() function: <type 'str'>
Enter input to test raw_input() function: <type 'str'>
Enter input to test raw_input() function: <type 'str'>
Enter input to test input() function: <type 'int'>
Enter input to test input() function: <type 'str'>
Enter input to test input() function: <type 'list'>
Note: While giving string input in the input() function, we have to enclose to value in double-quotes. This is not required in raw_input()
Vulnerability in input() Method
The vulnerability in input() method lies in the fact that the variable accessing the value of input can be accessed by anyone just by using the name of the variable or method. Below are some vulnerability in input() method:
- Variable name as input parameter:
- Function name as parameter
Variable Name as Input Parameter
The variable having the value of input variable is able to access the value of the input variable directly.
Python3
# Python 3 to demonstrate difference in input() function
import random
secret_number = random.randint(1,500)
print ("Pick a number between 1 to 500")
while True:
res = input("Guess the number: ")
if res==secret_number:
print ("You win")
break
else:
print ("You lose")
continue
# Python 2.x program to show Vulnerabilities
# in input() function using a variable
import random
secret_number = random.randint(1,500)
print "Pick a number between 1 to 500"
while True:
res = input("Guess the number: ")
if res==secret_number:
print "You win"
break
else:
print "You lose"
continue
Input1:
15
Output1:
Pick a number between 1 to 500
Guess the number: You lose
Guess the number:
Input2:
secret_number
Output2:
Pick a number between 1 to 500
Guess the number: You win
As it can be seen, in the second case the variable "secret_number" can be directly given as input and the answer is always "You won". It evaluates the variable as if a number was directly entered, which means it returns a True Boolean always. Using raw_input, would not be possible as it disallows reading the variable directly.
Python 3 shows different results. If "secret_number" is given as input, answer is 'You lose'.
Function Name as Parameter
The vulnerability lies here as we can even provide the name of a function as input and access values that are otherwise not meant to be accessed. In this set of input/output, we can see that when we use raw_input, we necessarily have to input the correct number. However while using the input() function, we can even provide the name of a function or variable, and the interpreter will evaluate that. Here for example, the input for input() function has been given as the name of a function 'secretfunction()'. The interpreter evaluates this function call and returns the secret number that we wish to find and hence our if the condition evaluates to be true, even though we did not enter the secret number.
Python
# Python 2.x program to demonstrate input() function
# vulnerability by passing function name as parameter
secret_value = 500
# function that returns the secret value
def secretfunction():
return secret_value
# using raw_input() to enter the number
input1 = raw_input("Raw_input(): Guess secret number: ")
# input1 will be explicitly converted to a string
if input1 == secret_value:
print "You guessed correct"
else:
print "wrong answer"
# using input() to enter the number
input2 = input("Input(): Guess the secret number: ")
#input2 is evaluated as it is entered
if input2 == secret_value:
print "You guessed correct"
else:
print "wrong answer"
Input1:
400
secretfunction()
Output1:
Raw_input(): Guess secret number: wrong answer
Input(): Guess the secret number: You guessed correct
As explained in the first point, in this example also we were able to simply enter the variable name 'secret_number' in the input for 'input()' function and we were able to gain access to the secret value. However, while trying to call secretfunction() in the input for the raw_input() function, it gives us false as the interpreter converts our argument to a string, and doesn't evaluate it as a function call.
Input2:
secretfunction()
secret_value
Output2:
Raw_input(): Guess secret number: wrong answer
Input(): Guess the secret number: You guessed correct
Preventing Input Vulnerabilities
It is always better to use raw_input() in python 2.x and then explicitly convert the input to whatever type we require. For example, if we wish to take the input of an integer, we can do the following
n = int(raw_input())
This prevents the malicious calling or evaluation of functions.
Similar Reads
Python Tutorial - Learn Python Programming Language Python is one of the most popular programming languages. It’s simple to use, packed with features and supported by a wide range of libraries and frameworks. Its clean syntax makes it beginner-friendly. It'sA high-level language, used in web development, data science, automation, AI and more.Known fo
10 min read
Python Interview Questions and Answers Python is the most used language in top companies such as Intel, IBM, NASA, Pixar, Netflix, Facebook, JP Morgan Chase, Spotify and many more because of its simplicity and powerful libraries. To crack their Online Assessment and Interview Rounds as a Python developer, we need to master important Pyth
15+ min read
Python OOPs Concepts Object Oriented Programming is a fundamental concept in Python, empowering developers to build modular, maintainable, and scalable applications. By understanding the core OOP principles (classes, objects, inheritance, encapsulation, polymorphism, and abstraction), programmers can leverage the full p
11 min read
Python Projects - Beginner to Advanced Python is one of the most popular programming languages due to its simplicity, versatility, and supportive community. Whether you’re a beginner eager to learn the basics or an experienced programmer looking to challenge your skills, there are countless Python projects to help you grow.Here’s a list
10 min read
Python Exercise with Practice Questions and Solutions Python Exercise for Beginner: Practice makes perfect in everything, and this is especially true when learning Python. If you're a beginner, regularly practicing Python exercises will build your confidence and sharpen your skills. To help you improve, try these Python exercises with solutions to test
9 min read
Python Programs Practice with Python program examples is always a good choice to scale up your logical understanding and programming skills and this article will provide you with the best sets of Python code examples.The below Python section contains a wide collection of Python programming examples. These Python co
11 min read
Python Introduction Python was created by Guido van Rossum in 1991 and further developed by the Python Software Foundation. It was designed with focus on code readability and its syntax allows us to express concepts in fewer lines of code.Key Features of PythonPython’s simple and readable syntax makes it beginner-frien
3 min read
Python Data Types Python Data types are the classification or categorization of data items. It represents the kind of value that tells what operations can be performed on a particular data. Since everything is an object in Python programming, Python data types are classes and variables are instances (objects) of thes
9 min read
Input and Output in Python Understanding input and output operations is fundamental to Python programming. With the print() function, we can display output in various formats, while the input() function enables interaction with users by gathering input during program execution. Taking input in PythonPython input() function is
8 min read
Enumerate() in Python enumerate() function adds a counter to each item in a list or other iterable. It turns the iterable into something we can loop through, where each item comes with its number (starting from 0 by default). We can also turn it into a list of (number, item) pairs using list().Let's look at a simple exam
3 min read