Python eval()

The eval() method parses the expression passed to it and runs the expression within the program. In other words, it interprets a string as code inside a Python program.

Syntax

The syntax for eval() is as below −

eval(expression, globals=None, locals=None)

Where

• expression − The Python expression passed to the method as a string.

• globals − A dictionary of available global methods and variables (optional).

• locals − A dictionary of available local methods and variables (optional).

Basic Example

Here's a simple example showing how eval() evaluates mathematical expressions ?

# Basic mathematical expression
expression = "5 + 3 * 2"
result = eval(expression)
print("Expression:", expression)
print("Result:", result)

Expression: 5 + 3 * 2
Result: 11

Using Variables in eval()

You can also evaluate expressions that contain variables ?

# Using variables in expression
a = 10
b = 5
expression = "a * b + 3"
result = eval(expression)
print("Expression:", expression)
print("Result:", result)

Expression: a * b + 3
Result: 53

Security Issues with eval()

For programs involving web applications or desktop programs, there is a chance that the use of eval() will create security vulnerabilities. A malicious user could supply expressions that are system commands to delete files or access sensitive data.

Restricting eval() with Empty Globals

You can restrict eval() by passing an empty dictionary as globals, limiting access to only built-in functions ?

import os
# Safe evaluation with empty globals
safe_expr = "2 + 3 * 4"
result = eval(safe_expr, {})
print("Safe result:", result)

# This shows only built-in functions are available
print("Available functions:", eval('dir()', {}))

Safe result: 14
Available functions: ['__builtins__']

Allowing Specific Functions

You can selectively allow certain functions by including them in the globals dictionary ?

from math import sqrt, pow

# Allow only specific math functions
allowed_names = {'sqrt': sqrt, 'pow': pow}
expression = "sqrt(16) + pow(2, 3)"
result = eval(expression, allowed_names)
print("Result:", result)

# Show what's available
print("Available functions:", eval('dir()', allowed_names))

Result: 12.0
Available functions: ['__builtins__', 'pow', 'sqrt']

Restricting Both Global and Local Scope

For maximum security, you can restrict both global and local scopes by disabling built-ins and allowing only specific functions ?

from time import gmtime

# Completely restricted evaluation
timestamp = 1445945763
result = eval('gmtime(timestamp)', 
              {'__builtins__': None}, 
              {'timestamp': timestamp, 'gmtime': gmtime})
print("Result:", result)

Result: time.struct_time(tm_year=2015, tm_mon=10, tm_mday=27, tm_hour=11, tm_min=36, tm_sec=3, tm_wday=1, tm_yday=300, tm_isdst=0)

Best Practices

• Never use eval() with untrusted user input

• Always restrict globals and locals when possible

• Consider using ast.literal_eval() for safe evaluation of literals

• Use eval() only when absolutely necessary

Conclusion

The eval() function is powerful for evaluating expressions dynamically, but it poses significant security risks. Always restrict its scope using globals and locals parameters when working with user input.