Can you inject stuff in python??

p4p1 [lexostras]
10 years ago | edited 10 years ago

0

So you might think that this is wierd but yeah, I was board around an hour ago so I decided to look up at python tutorials on youtube and I saw the raw_input() statement and it came to me with a flash can you inject python, so I tested and the awnser is obviously no because wen you ask for input in python and then just print out what you asked, its going to spit it up without checking and it does not use quotes.
FIRST TEST:
hy = raw_input() print hy
After that I thought about those string format with %r and such,
So i did this:
print "so I said %r " % hy
I used %r because the %s turns the code into a string and the %r just uses the raw data. So of course it does not work but my actuall question is WHY?? I understand that python does stuff to the data that you give in the input but what does it do and is there a way to counter it???

I know that this thread is in some sort use less but I found this really exciting and I really would like to know how it works.

Used to be lexostras…. but i got tierd of my name so now it’s worst…..
My github dont click this

dloser
10 years ago

0

Not that it matters, but “%r” doesn’t “just uses the raw data” (whatever you think that means). Also, “hy” is already a string.

Why would you think that “print” would execute any code? And what do you think it does to the input?

If you want to inject code, you need to get that code evaluated in some way (e.g. using “eval”). This holds for any language and is in no way happening in your example.

p4p1 [lexostras]
10 years ago

0

Thanks @dloser I have to say that I did not really understand everything but I think that is because I am new with python, thanks a lot i will look up what you told me :)

Used to be lexostras…. but i got tierd of my name so now it’s worst…..
My github dont click this