The eval()
method parses the expression passed to this method and runs python expression (code) within the program.
Example
number = 9
# eval performs the multiplication passed as argument
square_number = eval('number * number')
print(square_number)
# Output: 81
eval() Syntax
The syntax of eval()
is:
eval(expression, globals=None, locals=None)
eval() Parameters
The eval()
function takes three parameters:
- expression - the string parsed and evaluated as a Python expression
- globals (optional) - a dictionary
- locals (optional)- a mapping object. Dictionary is the standard and commonly used mapping type in Python.
The use of globals and locals will be discussed later in this article.
eval() Return Value
The eval()
method returns the result evaluated from the expression.
Example 1: How eval() works in Python
x = 1
print(eval('x + 1'))
Output
2
Here, the eval()
function evaluates the expression x + 1
and print
is used to display this value.
Example 2: Practical Example to Demonstrate Use of eval()
# Perimeter of Square
def calculatePerimeter(l):
return 4*l
# Area of Square
def calculateArea(l):
return l*l
expression = input("Type a function: ")
for l in range(1, 5):
if (expression == 'calculatePerimeter(l)'):
print("If length is ", l, ", Perimeter = ", eval(expression))
elif (expression == 'calculateArea(l)'):
print("If length is ", l, ", Area = ", eval(expression))
else:
print('Wrong Function')
break
Output
Type a function: calculateArea(l) If length is 1 , Area = 1 If length is 2 , Area = 4 If length is 3 , Area = 9 If length is 4 , Area = 16
Warnings when using eval()
Consider a situation where you are using a Unix system (macOS, Linux etc) and you have imported the os
module. The os module provides a portable way to use operating system functionalities like reading or writing to a file.
If you allow users to input a value using eval(input())
, the user may issue commands to change file or even delete all the files using the command: os.system('rm -rf *')
.
If you are using eval(input())
in your code, it is a good idea to check which variables and methods the user can use. You can see which variables and methods are available using dir() method.
from math import *
print(eval('dir()'))
Output
['__annotations__', '__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__spec__', 'acos', 'acosh', 'asin', 'asinh', 'atan', 'atan2', 'atanh', 'ceil', 'comb', 'copysign', 'cos', 'cosh', 'degrees', 'dist', 'e', 'erf', 'erfc', 'exp', 'expm1', 'fabs', 'factorial', 'floor', 'fmod', 'frexp', 'fsum', 'gamma', 'gcd', 'hypot', 'inf', 'isclose', 'isfinite', 'isinf', 'isnan', 'isqrt', 'ldexp', 'lgamma', 'log', 'log10', 'log1p', 'log2', 'modf', 'nan', 'os', 'perm', 'pi', 'pow', 'prod', 'radians', 'remainder', 'sin', 'sinh', 'sqrt', 'tan', 'tanh', 'tau', 'trunc']
Restricting the Use of Available Methods and Variables in eval()
More often than not, all the available methods and variables used in the expression (first parameter to eval()
) may not be needed, or even may have a security hole. You may need to restrict the use of these methods and variables for eval()
. You can do so by passing optional globals and locals parameters (dictionaries) to the eval()
function.
1. When both globals and locals parameters omitted
If both parameters are omitted (as in our earlier examples), the expression is executed in the current scope. You can check the available variables and methods using following code:
print(eval('dir()')
2. Passing globals parameter; locals parameter is omitted
The globals and locals parameters (dictionaries) are used for global and local variables respectively. If the locals dictionary is omitted, it defaults to globals dictionary. Meaning, globals will be used for both global and local variables.
Note: You can check the current global and local dictionary in Python using globals() and locals() built-in methods respectively.
Example 3: Passing empty dictionary as globals parameter
from math import *
print(eval('dir()', {}))
# The code will raise an exception
print(eval('sqrt(25)', {}))
Output
['__builtins__'] Traceback (most recent call last): File "<string>", line 5, in <module> print(eval('sqrt(25)', {})) File "<string>", line 1, in <module> NameError: name 'sqrt' is not defined
If you pass an empty dictionary as globals, only the __builtins__
are available to expression
(first parameter to the eval()
).
Even though we have imported the math
module in the above program, expression can't access any functions provided by the math module.
Example 4: Making Certain Methods available
from math import *
print(eval('dir()', {'sqrt': sqrt, 'pow': pow}))
Output
['__builtins__', 'pow', 'sqrt']
Here, the expression can only use the sqrt()
and the pow()
methods along with __builtins__
.
It is also possible to change the name of the method available for the expression as to your wish:
from math import *
names = {'square_root': sqrt, 'power': pow}
print(eval('dir()', names))
# Using square_root in Expression
print(eval('square_root(9)', names))
Output
['__builtins__', 'power', 'square_root'] 3.0
In the above program, square_root()
calculates the square root using sqrt()
. However, trying to use sqrt()
directly will raise an error.
Example 5: Restricting the Use of built-ins
You can restrict the use of __builtins__
in the expression as follows:
eval(expression, {'__builtins__': None})
3. Passing both globals and locals dictionary
You can make needed functions and variables available for use by passing the locals dictionary. For example:
from math import *
a = 169
print(eval('sqrt(a)', {'__builtins__': None}, {'a': a, 'sqrt': sqrt}))
Output
13.0
In this program, expression can have sqrt()
method and variable a only. All other methods and variables are unavailable.
Restricting the use of eval()
by passing globals and locals dictionaries will make your code secure particularly when you are using input provided by the user to the eval()
method.
Note: Sometimes, eval()
is not secure even with limited names. When an object and its methods are made accessible, almost anything can be done. The only secure way is by validating the user input.