Python eval()

Python eval() is a powerful function for dynamically evaluating expressions. However, it should be used with caution due to potential security risks. By restricting access to built-ins and using custom globals and locals dictionaries, you can make eval() safer. Always validate and sanitize inputs to avoid vulnerabilities.
Table of Contents

Understanding Python eval() Function

Python eval() is a built-in function that parses and evaluates a string as a Python expression. It allows you to run a piece of Python code represented as a string. This can be useful for dynamically executing code you don’t know when writing the program. The eval() function takes the expression string as its primary argument, along with optional dictionaries for global and local variables, and returns the result of evaluating that expression.

Syntax of Python eval()

result = eval(expression, globals=None, locals=None)

Explanation

  • result: Variable will store the result of evaluating the expression. The returned value will depend on the expression.
  • eval(): Built-in function that evaluates the expression string.
  • expression: String containing the Python expression you want to evaluate. It is the input for the eval() function.
  • globals (optional): Dictionary representing the global namespace in which the expression will be evaluated.
  • locals (optional): Dictionary representing the local namespace in which the expression will be evaluated.

Example of Python eval()

x = 10
result = eval("x * 2")
print(result)

Explanation

  • x = 10: Initializes a variable x to 10.
  • result = eval("x * 2"): Uses eval() to evaluate the string “x * 2” as a Python expression, storing the result in result.
  • print(result): Prints the value of result, which is 20.

Output

20

eval() Parameters

Python eval() function can take up to three parameters: expression, globals, and locals. The expression parameter is the string you want to evaluate as a Python expression. The globals parameter is an optional dictionary that specifies the global namespace in which the expression should be evaluated. The locals parameter is another optional dictionary specifying the evaluation’s local namespace. If globals is provided but locals is omitted, locals defaults to the same dictionary as globals.

Syntax

result = eval(expression, globals=None, locals=None)

Example

global_var = 5
local_var = 3

result = eval("global_var + local_var", {"global_var": global_var}, {"local_var": local_var})
print(result)

Explanation

  • global_var = 5: Initializes a global variable global_var.
  • local_var = 3: Initializes a local variable local_var.
  • result = eval("global_var + local_var", {"global_var": global_var}, {"local_var": local_var}): Uses eval() to evaluate the expression “global_var + local_var” within the specified global and local namespaces.
  • print(result): Prints the result, which is 8.

Output

8

eval() Return Type

Python eval() function returns the result of evaluating the given expression. The type of the returned value depends entirely on the expression itself. It could be an integer, a float, a string, a boolean, a list, or any other valid Python object. If the expression is invalid or raises an error during evaluation, eval() will raise an exception accordingly. The returned value will depend on the input expression.

Syntax

result = eval(expression, globals, locals)

Explanation

  • result: Variable stores the value returned by eval(), which is the result of the evaluated expression. The return type will depend on the input expression.
  • eval(): Function evaluates the expression and returns its result.
  • expression: Python expression to evaluate, as a string. It is passed as first parameter to eval().
  • globals: (Optional) Dictionary for the global namespace. It is passed as second parameter to eval().
  • locals: (Optional) Dictionary for the local namespace. It is passed as third parameter to eval().

Example

result = eval("'Hello' + ' ' + 'World'")
print(result)

Explanation

  • result = eval("'Hello' + ' ' + 'World'"): Uses eval() to evaluate the string concatenation expression.
  • print(result): Prints the result, which is the concatenated string “Hello World”.

Output

Hello World

Warnings When Using eval()

While Python eval() can be a powerful tool, it also comes with significant security risks if misused. Evaluating arbitrary strings from untrusted sources (like user input) can allow malicious code to be executed, potentially compromising your system or data. It’s crucial to avoid using eval() on input that you don’t fully control. If you must use eval(), make sure to sanitize and validate the input thoroughly. If you do not validate correctly, then your system might be compromised.

Syntax

result = eval(untrusted_input)

Explanation

  • result: Variable would store the result, but there’s a potential security risk.
  • eval(): Function executes arbitrary code, which is dangerous with untrusted input. Using eval() can raise security issues if not used properly.
  • untrusted_input: Represents a string from an untrusted source (e.g., user input). It is passed as input to eval().

Example

# Example of a potential security risk - Avoid doing this with untrusted input!
try:
    user_input = "__import__('os').system('rm -rf /')"  # Example of malicious code
    result = eval(user_input)
    print(result)
except Exception as e:
    print(f"Error: {e}")

Explanation

  • user_input = "__import__('os').system('rm -rf /')": Simulates a malicious user input that tries to delete all files.
  • result = eval(user_input): Attempts to evaluate the malicious input using eval().
  • print(result): Print the result if the eval() call succeeded.
  • except Exception as e:: Catches any exception that might occur.
  • print(f"Error: {e}"): Prints the error message.

Output

Error: name ‘__import__’ is not defined

Restricting Methods and Variables in eval()

You can make Python eval() safer by restricting the methods and variables available during evaluation. You do this by providing globals and locals dictionaries to the eval() function. These dictionaries define the global and local namespaces in which the expression will be evaluated. By carefully controlling these namespaces, you can limit the capabilities of the code being evaluated.

When Both globals and locals Parameters Omitted

If you omit both the globals and locals parameters when calling Python eval(), the expression is evaluated in the current scope. This means it has access to all the variables, functions, and other objects that are currently defined in the surrounding code. This is generally the least secure way to use eval(), as it gives the evaluated code much potential power.

Syntax

result = eval(expression)

Explanation

  • result: Variable will store the result of the evaluation.
  • eval(): Function evaluates the expression in the current scope.
  • expression: Python expression to evaluate, as a string. It is passed as input to eval().

Example

x = 10
y = 5
result = eval("x + y")
print(result)

Explanation

  • x = 10: Initializes a global variable x.
  • y = 5: Initializes a global variable y.
  • result = eval("x + y"): Evaluates the expression “x + y” in the current scope, where x and y are defined.
  • print(result): Prints the result, which is 15.

Output

15

Passing Both globals and locals Parameters Omitted

When you pass both the globals and locals parameters to Python eval(), you explicitly define the namespaces in which the expression will be evaluated. This gives you more control over the environment where the code runs, allowing you to restrict access to certain variables or functions. If you pass empty dictionaries for both globals and locals, the evaluated code will have access to almost nothing. If any variable or method is used inside eval(), this will raise an error.

Syntax

result = eval(expression, globals_dict, locals_dict)

Explanation

  • result: Variable will store the result of the evaluation.
  • eval(): Function evaluates the expression within the specified namespaces.
  • expression: Python expression to evaluate, as a string. It is passed as input to eval().
  • globals_dict: Dictionary defining the global namespace. It is passed as second parameter to eval().
  • locals_dict: Dictionary defining the local namespace. It is passed as third parameter to eval().

Example

global_vars = {'a': 7}
local_vars = {'b': 3}
result = eval("a + b", global_vars, local_vars)
print(result)

Explanation

  • global_vars = {'a': 7}: Creates a dictionary global_vars with one variable a.
  • local_vars = {'b': 3}: Creates a dictionary local_vars with one variable b.
  • result = eval("a + b", global_vars, local_vars): Evaluates “a + b” using the provided namespaces, so a is taken from global_vars and b from local_vars.
  • print(result): Prints the result, which is 10.

Output

10

Passing Empty Dictionary as globals Parameter

Suppose you pass an empty dictionary as the globals parameter to Python eval() and omit the locals parameter. In that case, the expression will be evaluated with access to Python’s built-in functions and variables but not to any of your global variables. This is because when locals is omitted, it defaults to the value of globals. Passing an empty globals dictionary means the evaluated code won’t have access to your global variables, but it can still use built-in functions.

Syntax

result = eval(expression, {})

Explanation

  • result: Variable will store the result of the evaluation.
  • eval(): Function evaluates the expression with limited access to globals.
  • expression: Python expression to evaluate, as a string. It is the input for eval().
  • {}: Empty dictionary passed as the globals parameter, restricting access to global variables but still allowing access to built-ins.

Example

result = eval("abs(-10)", {})
print(result)

Explanation

  • result = eval("abs(-10)", {}): Evaluates the expression abs(-10) with an empty globals dictionary, but abs is a built-in function, so it works.
  • print(result): Prints the result, which is 10.

Output

10

Making Certain Methods Available

If you want the evaluated code to use specific methods or variables, you can include them in the globals dictionary you pass to Python eval(). This way, you can create a controlled environment where only certain functions or data are accessible. This allows you to expose specific functionalities while keeping the rest of your program’s state hidden.

Syntax

globals_dict = {‘some_method’: some_method, ‘some_variable’: some_variable}
result = eval(expression, globals_dict)

Explanation

  • globals_dict: Dictionary that you’ll populate with the methods and variables you want to make available.
  • 'some_method': some_method: Inside globals_dict, you map the name ‘some_method’ to the actual method some_method.
  • 'some_variable': some_variable: Similarly, you map ‘some_variable’ to the variable some_variable.
  • result: Variable will store the result of the evaluation.
  • eval(): Function evaluates the expression using the provided globals_dict.
  • expression: Python expression to evaluate, as a string. It is passed as first parameter to eval().
  • globals_dict: Dictionary specifying which globals are available during evaluation. It is passed as second parameter to eval().

Example

def my_function(x):
    return x * 2

globals_dict = {'my_func': my_function}
result = eval("my_func(5)", globals_dict)
print(result)

Explanation

  • def my_function(x):: Defines a function my_function that doubles its input.
  • return x * 2: Returns the doubled value.
  • globals_dict = {'my_func': my_function}: Creates a dictionary globals_dict making my_function available under the name ‘my_func’.
  • result = eval("my_func(5)", globals_dict): Evaluates the expression “my_func(5)” with access to my_function through globals_dict.
  • print(result): Prints the result, which is 10.

Output

10

Restricting the Use of Built-Ins (Passing Both globals and locals Dictionary)

To restrict the use of built-in functions within Python eval(), you can pass a globals dictionary that specifically overrides the __builtins__ key. By setting __builtins__ to None or an empty dictionary, you disable access to most of Python’s built-in functions from within the evaluated code. This is a common technique to enhance security when using eval(), as it prevents potentially harmful operations.

Syntax

globals_dict = {‘__builtins__’: None}
locals_dict = {}
result = eval(expression, globals_dict, locals_dict)

Explanation

  • globals_dict: Dictionary defining the global namespace for eval().
  • {'__builtins__': None}: Sets the built-ins to None, effectively disabling them. You are passing this as global namespace.
  • locals_dict: Dictionary defining the local namespace (can be empty).
  • result: Variable will store the result of the evaluation.
  • eval(): Function evaluates the expression within the restricted namespaces.
  • expression: Python expression to evaluate, as a string. It is passed as input to eval().
  • globals_dict: Restricted globals dictionary. It is passed as parameter to eval().
  • locals_dict: Locals dictionary. It is passed as parameter to eval().

Example

try:
    result = eval("print('This should not work')", {'__builtins__': None}, {})
    print(result)
except NameError as e:
    print(f"Error: {e}")

Explanation

  • try:: Block attempts to execute the eval() function.
  • result = eval("print('This should not work')", {'__builtins__': None}, {}): Attempts to evaluate a print call with built-ins disabled.
  • print(result): Print the result if the eval() call succeeded.
  • except NameError as e:: Catches a NameError, which is expected when built-ins are disabled.
  • print(f"Error: {e}"): Prints the error message.

Output

Error: name ‘print’ is not defined

Evaluating Expressions using Python’s eval()

Python eval() is a powerful function that allows you to evaluate arbitrary Python expressions from a string. This means you can use it to execute code generated or modified during runtime, providing high flexibility. Besides mathematical expressions, you can evaluate function calls, variable assignments, and more. However, it’s crucial to be aware of the security implications, especially when dealing with external input, as eval() can execute any code in the string.

Syntax

result = eval(expression_string, globals, locals)

Explanation

  • result: Variable will store the result of evaluating the expression.
  • eval(): Function evaluates the given expression_string.
  • expression_string: String containing a valid Python expression to be evaluated. It is passed as first parameter to eval().
  • globals: (Optional) Dictionary for the global namespace. It is passed as second parameter to eval().
  • locals: (Optional) Dictionary for the local namespace. It is passed as third parameter to eval().

Example

code_string = "len([1, 2, 3, 4])"
result = eval(code_string)
print(result)

Explanation

  • code_string = "len([1, 2, 3, 4])": Defines a string code_string containing a Python expression that calls the len() function.
  • result = eval(code_string): Uses eval() to evaluate code_string and stores the result (the length of the list) in result.
  • print(result): Prints the value of result, which is 4.

Output

4

Evaluating Mathematical Expressions in Python

Python eval() can evaluate mathematical expressions provided as strings. This is useful when you perform calculations based on dynamically generated expressions or user input. The eval() function can handle basic arithmetic operations and more complex expressions involving variables, functions, and parentheses. Remember to use this functionality carefully, as it can be vulnerable.

Syntax

result = eval(mathematical_expression_string)

Explanation

  • result: Variable will store the result of the mathematical expression evaluation.
  • eval(): Function evaluates the mathematical expression.
  • mathematical_expression_string: String containing a valid Python mathematical expression. It is used as input for eval().

Example

expression = "3 * (4 + 5) - 2"
result = eval(expression)
print(result)

Explanation

  • expression = "3 * (4 + 5) - 2": Defines a string expression containing a mathematical expression.
  • result = eval(expression): Uses eval() to evaluate the expression string and stores the result in result.
  • print(result): Prints the calculated result, which is 25.

Output

25

Evaluate Boolean Expressions in Python

Python eval() can also be used to evaluate boolean expressions, which result in either True or False. This is handy when you need to check conditions based on strings dynamically. For instance, you can use eval() to evaluate comparisons, logical operations (like and, or, not), and other expressions that return boolean values.

Syntax

result = eval(boolean_expression_string)

Explanation

  • result: Variable will store the boolean result (True or False) of the evaluation.
  • eval(): Function evaluates the boolean expression.
  • boolean_expression_string: String containing a valid Python boolean expression. It is used as input for eval().

Example

x = 10
y = 20
expression = "x < y and y > 5"
result = eval(expression)
print(result)

Explanation

  • x = 10: Initializes a variable x to 10.
  • y = 20: Initializes a variable y to 20.
  • expression = "x < y and y > 5": Defines a string expression containing a boolean expression.
  • result = eval(expression): Uses eval() to evaluate the boolean expression and stores the result in result.
  • print(result): Prints the value of result, which is True.

Output

True

Evaluate Conditional Expressions in Python

Conditional expressions, known as ternary operators, can be evaluated using Python eval(). A conditional expression has the form a if condition else b, where it returns a if the condition is True, and b otherwise. eval() can process these expressions when represented as strings, providing a way to execute conditional logic dynamically.

Syntax

result = eval(conditional_expression_string)

Explanation

  • result: Variable will store the result of the conditional expression.
  • eval(): Function evaluates the conditional expression string.
  • conditional_expression_string: String containing a Python conditional expression (e.g., “a if condition else b”). It is used as input for eval().

Example

age = 25
result = eval("'Adult' if age >= 18 else 'Minor'")
print(result)

Explanation

  • age = 25: Initializes a variable age to 25.
  • result = eval("'Adult' if age >= 18 else 'Minor'"): Uses eval() to evaluate the conditional expression, assigning ‘Adult’ to result because age is greater than or equal to 18.
  • print(result): Prints the value of result, which is ‘Adult’.

Output

Adult

Making eval() safe

To make Python eval() safer, it’s essential to restrict the environment in which the expression is evaluated. You can do this by passing controlled globals and locals dictionaries to eval(). You can limit what the evaluated code can do by carefully selecting which variables, functions, and modules are available in these dictionaries. Additionally, always avoid using eval() on input from untrusted sources, and consider using safer alternatives like ast.literal_eval() for simple expressions when possible.

Syntax

result = eval(expression, globals_dict, locals_dict)

Explanation

  • result: Variable will store the result of the evaluation.
  • eval(): Function evaluates the expression in a controlled environment.
  • expression: Python expression to evaluate, as a string. It is used as input for eval().
  • globals_dict: Dictionary defining the allowed global namespace. It is used as a parameter for eval().
  • locals_dict: Dictionary defining the allowed local namespace. It is used as a parameter for eval().

Example

safe_globals = {"__builtins__": None}
safe_locals = {"x": 5, "y": 10}
result = eval("x + y", safe_globals, safe_locals)
print(result)

Explanation

  • safe_globals = {"__builtins__": None}: Creates a safe_globals dictionary that disables built-in functions by setting __builtins__ to None.
  • safe_locals = {"x": 5, "y": 10}: Creates a safe_locals dictionary that defines local variables x and y.
  • result = eval("x + y", safe_globals, safe_locals): Evaluates “x + y” in the restricted environment, where only x and y are defined and built-ins are disabled.
  • print(result): Prints the result, which is 15.

Output

15

Conclusion

Python eval() is a powerful function for dynamically evaluating Python expressions represented as strings. It offers flexibility in executing code generated at runtime and can handle various expressions, including mathematical, boolean, and conditional expressions. Understanding the capabilities and limitations of eval() is essential for writing safe and dynamic Python code. Remember that using eval() is dangerous if you do not sanitize your inputs properly.

Also Read

Python filter()

Python float()

Python Reference

python eval()