David Hutto wrote:
On Sat, Dec 11, 2010 at 11:54 AM, Lie Ryan <lie.1...@gmail.com> wrote:
On 12/07/10 23:37, Robert Sjöblom wrote:
I've been told to use input() if I know that I'll only get integers,
and raw_input() for "everything."
That is a bad piece of advice. You should only use input() when you can
fully trust whoever doing the input (i.e. you).
Who uses the crap we, as noobies produce? It's pie in the sky
mentality. We design it because WE want it and WE(individually) use
it.
Do you want to learn good habits or learn bad habits? I think we've seen
plenty of evidence on this mailing list that you have little interest in
learning good habits, but actively defend your right learn bad habits.
There are plenty of people who do the same. They're harmless and even
pathetically amusing as newbies, and then they get a job working as a
professional programmer, and end up writing crappy, bug-addled code
filled with the sort of n00b errors that we've been warning about.
Bug-addled code with *real* consequences.
Command injection bugs are hugely common in the real world. At least
four of the 25 most common security bugs in *professional* software are
in my opinion varieties of the command injection flaw, and one of those
is the SECOND most common flaw:
SQL injection attack #2 most common
Unrestricted upload of dangerous files #8 most common
OS command injection #9 most common
PHP file inclusion attack #13 most common
http://cwe.mitre.org/top25/
OS command injection is *exactly* the sort of thing we're warning about.
Feel free to continue learning bad habits, but please stop trying to
encourage others to do the same.
--
Steven
_______________________________________________
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor
