- Trending Categories
- Data Structure
- Operating System
- C Programming
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
Python vulnerability in input() function
In this article, we will learn about how the input function behaves in an undesirable manner in version 2.x. Or earlier. In version 2.x. the raw_input() function works as replacement of the input() function . In newer versions 3.x. or later all the desirable features & functionalities of both functions are merged into the input() function.
Firstly let’s look at the input type of built-in functions for taking input in Python 2.x.
# Input Given : String str1 = raw_input("Output of raw_input() function: ") print type(str1) str2 = input("Output of input() function: ") print type(str2) # Input Given : Float str3 = raw_input("Output of raw_input() function: ") print type(str3) str4 = input("Output of input() function: ") print type(str4) # Input Given : Integer str5 = raw_input("Output of raw_input() function: ") print type(str5) str6 = input("Output of input() function: ") print type(str6)
Output of raw_input() function: Output of input() function: Output of raw_input() function: Output of input() function: Output of raw_input() function: Output of input() function:
Explanation − From the output, it is quite evident that the raw_input function explicitly converts the input to string type irrespective of the type of input provided. On the contrary, the input function retains the same data type as provided during input.
Now after seeing the above example you may be wondering that if input function retains the data type then why it is vulnerable? Let’s clarify this using an illustration −
ILLUSTRATION 1: Now let’s make a dice game using the random module.
import random as rd number = random.randint(1,6) print ("Pick a number between 1 to 6") while True: user_input = input("Guess the number: ") if user_input==number: print ("You guessed it right.") break else: print ("OOPS! try it next time.") continue
Explanation − In case the user provides an integer input then the desired output according to conditional expressions will be computed accordingly.
In case the user provides a string input i.e. identical to the variable name in which we storing the random integer generated by dice using the random module, then also the output is computed. But this must not be desired output that we want to compute. Actually, it must raise an error bearing wrong input type when a string input. It considers the variable name equivalent to a number directly entered by the user, The expression yields a True Boolean value and game reaches the end. On the contrary, if I used raw_input() instead, no such issue is encountered.
This vulnerability may prove fatal in case we are storing login credentials, user details & account passwords.
ILLUSTRATION 1: Now let’s make a system which asks for the pin and compares with the stored value.
stored_value = 7863 def return_function(): return stored_value inp = input() if inp == stored_value: print "You Entered Correctly" else: print "Oops! It's Incorrect"
As we discussed in the previous ILLUSTRATION that in case input provided is on integer type, the function works normally. But in any case user provide input identical to the return value of the function, the conditional becomes True and output is produced.
This is very dangerous to use in case of handling critical and confidential pieces of information like pins & passwords. This can be overcome by using raw_input() provided in Python 2.x.
From the above two ILLUSTRATIONS, it is quite clear that the input function makes the program ready for direct Variable attack.
In this article, we learnt what all issues and loopholes are encountered while using the input() function in Python 2.x. needed.
- Android app Vulnerability Scanner
- What does input() function do in python?
- Format String Vulnerability and Prevention with Example in C
- Taking input in Python
- Reading Keyboard Input in Python
- What is a Vulnerability Assessment? Testing Process, VAPT Scan Tool
- Taking input from console in Python
- How to take input in Python?
- Take Matrix input from user in Python
- Python Input Methods for Competitive Programming?
- Iterator function in Python
- Calendar function in Python
- Function Annotations in Python
- Function Decorators in Python?
- id() function in Python