Locked learning resources

Join us and get access to thousands of tutorials and a community of expert Pythonistas.

Unlock This Lesson

Locked learning resources

This lesson is for members only. Join us and get access to thousands of tutorials and a community of expert Pythonistas.

Unlock This Lesson

Evaluate Expressions Dynamically With Python eval() (Summary)

You can use Python’s eval() to evaluate Python expressions from a string-based or code-based input. This built-in function can be useful when you’re trying to evaluate Python expressions on the fly and you want to avoid the hassle of creating your own expressions evaluator from scratch.

In this course, you’ve learned how eval() works and how to use it safely and effectively to evaluate arbitrary Python expressions.

You’re now able to:

  • Use Python’s eval() to dynamically evaluate basic Python expressions
  • Run more complex statements like function calls, object creation, and attribute access using eval()
  • Minimize the security risks associated with the use of Python’s eval()

Here are additional resources about eval(), compile(), and exec():

Download

Sample Code (.zip)

7.1 KB
Download

Course Slides (.pdf)

1.1 MB

00:00 In the previous lesson, I showed you how to build a quick little command line calculator. In this lesson, I’ll summarize the course.

00:08 This course has been about the built-in function eval() and how to use it inside of Python to evaluate expressions. Expressions are a subset of the Python language and do not include statements.

00:22 Generally, expressions are things that evaluate to a result. Comparisons, literals, strings, the return values of functions—those are all expressions. Multiple code blocks, conditionals, and loops are statements and don’t qualify and can’t be used inside of eval().

00:40 In addition to taking an expression to calculate, eval() also takes two additional parameters, globals and locals.

00:47 This allows you to set the context space of the evaluation. The globals space automatically includes anything from Python built-in functions, unless you force it to be otherwise.

01:00 Even if you jump through hoops to try and secure it, eval() exposes things inside of Python that allow arbitrary code to be run. As such, it’s dangerous to use this with untrusted input.

01:13 It’s a powerful tool, but make sure you don’t let your users break your system by taking their strings and eval-ing them.

01:22 The Python documentation’s a great place to dig into specifics of built-in functions. Here’s eval(), the compile() function, eval’s cousin exec(), and the safer version of eval()literal_eval(), from the ast module.

01:38 In the section on security, I mentioned Ned Batchelder’s older article on how to break things in eval() and why it’s very dangerous. You can read more about that here. In explaining this blog post, I referenced the Python C API. You can see more details about that at this URL.

01:58 eval() is really just the tip of the iceberg. There are all sorts of ways of dynamically parsing and managing Python code. If you’re interested in this topic, look into the ast module. And a handy companion to that module, which is a third-party library available on PyPI, is asttokens.

02:17 asttokens helps you interpret a parsed abstract syntax tree. I actually use this library in the program that I use to demonstrate code. All that screengrab stuff that you’ve been watching in this lesson is built using, amongst other things, the asttokens library.

02:36 I hope this course has been valuable for you. Thank you for your attention!

Become a Member to join the conversation.