Python vulnerability in input() function

The input() function in Python 2.x had a serious security vulnerability that could allow code injection attacks. Unlike Python 3.x, the Python 2.x input() function evaluates user input as Python code, while raw_input() safely returns a string.

Difference Between input() and raw_input() in Python 2.x

Let's examine how these functions handle different data types in Python 2.x ?

# Python 2.x behavior (DO NOT RUN - for illustration only)
# Input Given: "hello" (string)
str1 = raw_input("Output of raw_input() function: ")
print type(str1)  # Always returns <type 'str'>

str2 = input("Output of input() function: ")
print type(str2)  # Returns <type 'str'> but evaluates as code

# Input Given: 3.14 (float)
str3 = raw_input("Output of raw_input() function: ")
print type(str3)  # Returns <type 'str'>

str4 = input("Output of input() function: ")
print type(str4)  # Returns <type 'float'>

# Input Given: 42 (integer)
str5 = raw_input("Output of raw_input() function: ")
print type(str5)  # Returns <type 'str'>

str6 = input("Output of input() function: ")
print type(str6)  # Returns <type 'int'>

Output of raw_input() function: hello
<type 'str'>
Output of input() function: "hello"
<type 'str'>
Output of raw_input() function: 3.14
<type 'str'>
Output of input() function: 3.14
<type 'float'>
Output of raw_input() function: 42
<type 'str'>
Output of input() function: 42
<type 'int'>

Key Difference: raw_input() always returns a string, while input() evaluates the input as Python code and returns the result.

Security Vulnerability Example: Dice Game

This simple dice game demonstrates the vulnerability ?

# Python 2.x vulnerable code (DO NOT RUN)
import random as rd
number = rd.randint(1,6)
print("Pick a number between 1 to 6")

while True:
    user_input = input("Guess the number: ")
    if user_input == number:
        print("You guessed it right.")
        break
    else:
        print("OOPS! try it next time.")
        continue

The Problem: If a user enters number (the variable name) instead of an integer, input() evaluates it as the variable and the comparison becomes True, allowing the user to win without guessing correctly.

Critical Security Risk: PIN Authentication

This example shows how the vulnerability can compromise authentication systems ?

# Python 2.x vulnerable code (DO NOT RUN)
stored_value = 7863

def return_function():
    return stored_value

print("Enter your PIN:")
inp = input()

if inp == stored_value:
    print("You Entered Correctly")
else:
    print("Oops! It's Incorrect")

The Attack: An attacker could input stored_value or return_function() instead of the actual PIN, and input() would evaluate these as Python code, granting unauthorized access.

Safe Alternative in Python 2.x

Always use raw_input() in Python 2.x and convert types explicitly ?

# Python 2.x safe approach
stored_pin = "7863"
user_input = raw_input("Enter your PIN: ")

if user_input == stored_pin:
    print("Access granted")
else:
    print("Access denied")

Python 3.x Solution

Python 3.x fixed this vulnerability by making input() behave like Python 2.x's raw_input() ?

# Python 3.x - input() is safe
stored_pin = "7863"
user_input = input("Enter your PIN: ")

if user_input == stored_pin:
    print("Access granted")
else:
    print("Access denied")

# Type conversion when needed
try:
    number = int(input("Enter a number: "))
    print(f"You entered: {number}")
except ValueError:
    print("Invalid number")

Key Security Points

• Never use input() in Python 2.x for user input
• Always use raw_input() in Python 2.x and convert types explicitly
• Python 3.x input() is safe and behaves like Python 2.x raw_input()
• Validate and sanitize all user input regardless of Python version

Conclusion

Python 2.x's input() function was a major security vulnerability that could allow code injection attacks. Always use raw_input() in Python 2.x or upgrade to Python 3.x where input() is safe by default.