Python eval()

The eval() method parses the expression passed to this method and runs python expression (code) within the program.

In simple terms, the eval() function runs the python code (which is passed as an argument) within the program.

The syntax of eval() is:

eval(expression, globals=None, locals=None)

eval() Parameters

The eval() function takes three parameters:

  • expression - the string parsed and evaluated as a Python expression
  • globals (optional) - a dictionary
  • locals (optional)- a mapping object. Dictionary is the standard and commonly used mapping type in Python.

The use of globals and locals will be discussed later in this article.


Return Value from eval()

The eval() method returns the result evaluated from the expression.


Example 1: How eval() works in Python

x = 1
print(eval('x + 1'))

Output

2

Here, the eval() function evaluates the expression x + 1 and print is used to display this value.


Example 2: Practical Example to Demonstrate Use of eval()

# Perimeter of Square
def calculatePerimeter(l):
    return 4*l

# Area of Square
def calculateArea(l):
    return l*l


expression = input("Type a function: ")

for l in range(1, 5):
    if (expression == 'calculatePerimeter(l)'):
        print("If length is ", l, ", Perimeter = ", eval(expression))
    elif (expression == 'calculateArea(l)'):
        print("If length is ", l, ", Area = ", eval(expression))
    else:
        print('Wrong Function')
        break

Output

Type a function: calculateArea(l)
If length is  1 , Area =  1
If length is  2 , Area =  4
If length is  3 , Area =  9
If length is  4 , Area =  16

Warnings when using eval()

Consider a situation where you are using a Unix system (macOS, Linux etc) and you have imported the os module. The os module provides a portable way to use operating system functionalities like reading or writing to a file.

If you allow users to input a value using eval(input()), the user may issue commands to change file or even delete all the files using the command: os.system('rm -rf *').


If you are using eval(input()) in your code, it is a good idea to check which variables and methods the user can use. You can see which variables and methods are available using dir() method.

from math import *
print(eval('dir()'))

Output

['__annotations__', '__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__spec__', 'acos', 'acosh', 'asin', 'asinh', 'atan', 'atan2', 'atanh', 'ceil', 'comb', 'copysign', 'cos', 'cosh', 'degrees', 'dist', 'e', 'erf', 'erfc', 'exp', 'expm1', 'fabs', 'factorial', 'floor', 'fmod', 'frexp', 'fsum', 'gamma', 'gcd', 'hypot', 'inf', 'isclose', 'isfinite', 'isinf', 'isnan', 'isqrt', 'ldexp', 'lgamma', 'log', 'log10', 'log1p', 'log2', 'modf', 'nan', 'os', 'perm', 'pi', 'pow', 'prod', 'radians', 'remainder', 'sin', 'sinh', 'sqrt', 'tan', 'tanh', 'tau', 'trunc']

Restricting the Use of Available Methods and Variables in eval()

More often than not, all the available methods and variables used in the expression (first parameter to eval()) may not be needed, or even may have a security hole. You may need to restrict the use of these methods and variables for eval(). You can do so by passing optional globals and locals parameters (dictionaries) to the eval() function.

1. When both globals and locals parameters omitted

If both parameters are omitted (as in our earlier examples), the expression is executed in the current scope. You can check the available variables and methods using following code:

print(eval('dir()')

2. Passing globals parameter; locals parameter is omitted

The globals and locals parameters (dictionaries) are used for global and local variables respectively. If the locals dictionary is omitted, it defaults to globals dictionary. Meaning, globals will be used for both global and local variables.

Note: You can check the current global and local dictionary in Python using globals() and locals() built-in methods respectively.

Example 3: Passing empty dictionary as globals parameter

from math import *
print(eval('dir()', {}))

# The code will raise an exception
print(eval('sqrt(25)', {}))

Output

['__builtins__']
Traceback (most recent call last):
  File "<string>", line 5, in <module>
    print(eval('sqrt(25)', {}))
  File "<string>", line 1, in <module>
NameError: name 'sqrt' is not defined

If you pass an empty dictionary as globals, only the __builtins__ are available to expression (first parameter to the eval()).

Even though we have imported the math module in the above program, expression can't access any functions provided by the math module.


Example 4: Making Certain Methods available

from math import *
print(eval('dir()', {'sqrt': sqrt, 'pow': pow}))

Output

['__builtins__', 'pow', 'sqrt']

Here, the expression can only use the sqrt() and the pow() methods along with __builtins__.

It is also possible to change the name of the method available for the expression as to your wish:

from math import *
names = {'square_root': sqrt, 'power': pow}
print(eval('dir()', names))

# Using square_root in Expression
print(eval('square_root(9)', names))

Output

['__builtins__', 'power', 'square_root']
3.0

In the above program, square_root() calculates the square root using sqrt(). However, trying to use sqrt() directly will raise an error.


Example 5: Restricting the Use of built-ins

You can restrict the use of __builtins__ in the expression as follows:

eval(expression, {'__builtins__': None})

3. Passing both globals and locals dictionary

You can make needed functions and variables available for use by passing the locals dictionary. For example:

from math import *

a = 169
print(eval('sqrt(a)', {'__builtins__': None}, {'a': a, 'sqrt': sqrt}))

Output

13.0

In this program, expression can have sqrt() method and variable a only. All other methods and variables are unavailable.


Restricting the use of eval() by passing globals and locals dictionaries will make your code secure particularly when you are using input provided by the user to the eval() method.

Note: Sometimes, eval() is not secure even with limited names. When an object and its methods are made accessible, almost anything can be done. The only secure way is by validating the user input.