Python eval()

This tutorial shows you how to use Python’s built-in eval() function.

Why Using It? The main application of eval() is to take user input at runtime and run it as a Python expression. This way, you can create a calculator or allow users to perform custom computations on a computing cluster. However, this use also poses the biggest security risk: the user can run byzantine (=harmful) code on your server environment!

How does it work? TLDR;

Python eval(s) parses the string argument s into a Python expression, runs it, and returns the result of the expression. This poses a security risk because a user can use it to run code on your computer. For example, if you allow eval(input()), a user could type os.system('rm -R *') to delete all files in your home directory.

Usage Examples

Learn by example! Here are some examples of how to use the eval() built-in function:

>>> eval('2+2')
4
>>> eval('[1, 2, 3]*3')
[1, 2, 3, 1, 2, 3, 1, 2, 3]
>>> eval('[x for x in range(10)]')
[0, 1, 2, 3, 4, 5, 6, 7, 8, 9]
>>> eval('"Alice".replace("e", "")')
'Alic'

You can run any Python code that has a return value within the eval() code. You can even create your own function and run it within eval():

>>> def f():
	return 42

>>> eval('f()')
42

This gives you great flexibility in how you use the function to run any string expression you may encounter in Python and it allows you to create Python code programmatically and evaluate it at runtime.

Python eval() - Visual Explanation

Syntax eval()

You can use the eval() method with three different argument lists.

Syntax: 
eval(string)
eval(string, globals)
eval(string, globals, locals) 
ArgumentsstringA string to be evaluated.
globalsOptional, default None. A dictionary in which you can define variables that should be globally accessible by the executed object (local namespace).
localsOptional, default None. A dictionary in which you can define variables that should be locally accessible by the executed object (global namespace).
Return ValueobjectReturns the result of parsing the string argument and running it as a Python expression.

Python eval() Return Value

The return value of eval() is a Python object that is the result of parsing the string argument and running it as a Python expression. The code can have side effects which means that it may change the state of your program or even your computer!


But before we move on, I’m excited to present you my new Python book Python One-Liners (Amazon Link).

If you like one-liners, you’ll LOVE the book. It’ll teach you everything there is to know about a single line of Python code. But it’s also an introduction to computer science, data science, machine learning, and algorithms. The universe in a single line of Python!

The book was released in 2020 with the world-class programming book publisher NoStarch Press (San Francisco).

Link: https://nostarch.com/pythononeliners

[Danger Zone] Python eval(input()) User Input

You can use the eval() function to run code that is typed in dynamically by the user:

def dangerous_function():
    # Do nasty stuff like removing files
    # or creating trojan horses
    print('You were hacked!')
    return 42

eval(input())

This is how the user may interact with your code at runtime:

dangerous_function()
You were hacked!

42

You see that the dangerous_function() was executed which could contain all kinds of dangerous code. If you run this on your server, the user may attempt to remove all files on your server! For example, the user may use the command os.system('rm -rf *') to remove all files and folders.

Interactive Jupyter Notebook eval()

Exercise: Run the following interactive code and try to run the dangerous function in the interactive Jupyter notebook!


Python exec() vs eval()

Python’s exec() function takes a Python program, as a string or executable object, and runs it. The eval() function evaluates an expression and returns the result of this expression. There are two main differences:

  • exec() can execute all Python source code, whereas eval() can only evaluate expressions.
  • exec() always returns None, whereas eval() returns the result of the evaluated expression.
  • exec() can import modules, whereas eval() cannot.
exec('x=2;y=2;z=x*y;print(z)')
# 4

print(eval('2*2'))
# 4

Python eval() import

Can you import a Python library within the eval() function? No, you can’t! The import statement is a statement, not an expression. But eval() can only execute expressions. A simple workaround is to create a function with side effects that imports the module within the function body:

def f():
    import random
    return random.randint(0, 9)

print(eval('f()'))
# 4

Per default, the eval() function has access to all names in the dir() namespace, so you can also import the library globally and use it within the eval() function:

import random
print(eval('random.randint(0, 9)'))

How to Restrict the Use of Built-in Functions Within eval()

If you don’t want to allow users to access built-in functions, you can restrict this by providing the globals argument as follows:

eval(expression, {'__builtins__': None})

For example:

>>> eval('sum([1, 2, 3])')
6
>>> eval('sum([1, 2, 3])', {'__builtins__': None})
Traceback (most recent call last):
  File "<pyshell#13>", line 1, in <module>
    eval('sum([1, 2, 3])', {'__builtins__': None})
  File "<string>", line 1, in <module>
TypeError: 'NoneType' object is not subscriptable

After restricting the built-in functions in the second call, Python raises an error NoneType object is not subscriptable. This reduces the security risks of your application.

Summary

Python eval(s) parses the string argument s into a Python expression, runs it, and returns the result of the expression.

>>> eval('2+2')
4

This poses a security risk because a user can use it to run code on your computer. For example, if you allow eval(input()), a user could type import os; os.system('rm -R *') to delete all files in your home directory.


I hope you enjoyed the article! To improve your Python education, you may want to join the popular free Finxter Email Academy:

Do you want to boost your Python skills in a fun and easy-to-consume way? Consider the following resources and become a master coder!

Where to Go From Here?

Enough theory, let’s get some practice!

To become successful in coding, you need to get out there and solve real problems for real people. That’s how you can become a six-figure earner easily. And that’s how you polish the skills you really need in practice. After all, what’s the use of learning theory that nobody ever needs?

Practice projects is how you sharpen your saw in coding!

Do you want to become a code master by focusing on practical code projects that actually earn you money and solve problems for people?

Then become a Python freelance developer! It’s the best way of approaching the task of improving your Python skills—even if you are a complete beginner.

Join my free webinar “How to Build Your High-Income Skill Python” and watch how I grew my coding business online and how you can, too—from the comfort of your own home.

Join the free webinar now!