This tutorial shows you how to use Python’s built-in eval()
function.
Why Using It? The main application of eval()
is to take user input at runtime and run it as a Python expression. This way, you can create a calculator or allow users to perform custom computations on a computing cluster. However, this use also poses the biggest security risk: the user can run byzantine (=harmful) code on your server environment!
How does it work? TLDR;
Python eval(s)
parses the string argument s
into a Python expression, runs it, and returns the result of the expression. This poses a security risk because a user can use it to run code on your computer. For example, if you allow eval(input())
, a user could type os.system('rm -R *')
to delete all files in your home directory.
Usage Examples
Learn by example! Here are some examples of how to use the eval()
built-in function:
>>> eval('2+2') 4 >>> eval('[1, 2, 3]*3') [1, 2, 3, 1, 2, 3, 1, 2, 3] >>> eval('[x for x in range(10)]') [0, 1, 2, 3, 4, 5, 6, 7, 8, 9] >>> eval('"Alice".replace("e", "")') 'Alic'
You can run any Python code that has a return value within the eval()
code. You can even create your own function and run it within eval()
:
>>> def f(): return 42 >>> eval('f()') 42
This gives you great flexibility in how you use the function to run any string expression you may encounter in Python and it allows you to create Python code programmatically and evaluate it at runtime.
Syntax eval()
You can use the eval()
method with three different argument lists.
Syntax:eval(string)
eval
(string
, globals)
eval
(string
, globals, locals)
Arguments |
| A string to be evaluated. |
globals | Optional, default None . A dictionary in which you can define variables that should be globally accessible by the executed object (local namespace). | |
locals | Optional, default None . A dictionary in which you can define variables that should be locally accessible by the executed object (global namespace). | |
Return Value | object | Returns the result of parsing the string argument and running it as a Python expression. |
Python eval() Return Value
The return value of eval()
is a Python object that is the result of parsing the string
argument and running it as a Python expression. The code can have side effects which means that it may change the state of your program or even your computer!
Check out my new Python book Python One-Liners (Amazon Link).
If you like one-liners, you’ll LOVE the book. It’ll teach you everything there is to know about a single line of Python code. But it’s also an introduction to computer science, data science, machine learning, and algorithms. The universe in a single line of Python!
The book was released in 2020 with the world-class programming book publisher NoStarch Press (San Francisco).
Publisher Link: https://nostarch.com/pythononeliners
[Danger Zone] Python eval(input()) User Input
You can use the eval()
function to run code that is typed in dynamically by the user:
def dangerous_function(): # Do nasty stuff like removing files # or creating trojan horses print('You were hacked!') return 42 eval(input())
This is how the user may interact with your code at runtime:
dangerous_function() You were hacked! 42
You see that the dangerous_function() was executed which could contain all kinds of dangerous code. If you run this on your server, the user may attempt to remove all files on your server! For example, the user may use the command os.system('rm -rf *')
to remove all files and folders.
Interactive Jupyter Notebook eval()
Exercise: Run the following interactive code and try to run the dangerous function in the interactive Jupyter notebook!
Python exec() vs eval()
Python’s exec()
function takes a Python program, as a string or executable object, and runs it. The eval()
function evaluates an expression and returns the result of this expression. There are two main differences:
exec()
can execute all Python source code, whereaseval()
can only evaluate expressions.exec()
always returnsNone
, whereaseval()
returns the result of the evaluated expression.exec()
can import modules, whereaseval()
cannot.
exec('x=2;y=2;z=x*y;print(z)') # 4 print(eval('2*2')) # 4
Python eval() import
Can you import a Python library within the eval()
function? No, you can’t! The import
statement is a statement, not an expression. But eval()
can only execute expressions. A simple workaround is to create a function with side effects that imports the module within the function body:
def f(): import random return random.randint(0, 9) print(eval('f()')) # 4
Per default, the eval()
function has access to all names in the dir()
namespace, so you can also import the library globally and use it within the eval()
function:
import random print(eval('random.randint(0, 9)'))
How to Restrict the Use of Built-in Functions Within eval()
If you don’t want to allow users to access built-in functions, you can restrict this by providing the globals
argument as follows:
eval(expression, {'__builtins__': None})
For example:
>>> eval('sum([1, 2, 3])') 6 >>> eval('sum([1, 2, 3])', {'__builtins__': None}) Traceback (most recent call last): File "<pyshell#13>", line 1, in <module> eval('sum([1, 2, 3])', {'__builtins__': None}) File "<string>", line 1, in <module> TypeError: 'NoneType' object is not subscriptable
After restricting the built-in functions in the second call, Python raises an error NoneType object is not subscriptable
. This reduces the security risks of your application.
Summary
Python eval(s)
parses the string argument s
into a Python expression, runs it, and returns the result of the expression.
>>> eval('2+2') 4
This poses a security risk because a user can use it to run code on your computer. For example, if you allow eval(input())
, a user could type import os; os.system('rm -R *')
to delete all files in your home directory.
I hope you enjoyed the article! To improve your Python education, you may want to join the popular free Finxter Email Academy:
Do you want to boost your Python skills in a fun and easy-to-consume way? Consider the following resources and become a master coder!
Where to Go From Here?
Enough theory. Let’s get some practice!
Coders get paid six figures and more because they can solve problems more effectively using machine intelligence and automation.
To become more successful in coding, solve more real problems for real people. That’s how you polish the skills you really need in practice. After all, what’s the use of learning theory that nobody ever needs?
You build high-value coding skills by working on practical coding projects!
Do you want to stop learning with toy projects and focus on practical code projects that earn you money and solve real problems for people?
🚀 If your answer is YES!, consider becoming a Python freelance developer! It’s the best way of approaching the task of improving your Python skills—even if you are a complete beginner.
If you just want to learn about the freelancing opportunity, feel free to watch my free webinar “How to Build Your High-Income Skill Python” and learn how I grew my coding business online and how you can, too—from the comfort of your own home.