Loading video player…

Evaluate Expressions Dynamically With Python eval() (Overview)

The built-in Python function eval() is used to evaluate Python expressions. You can pass a string containing Python, or a pre-compiled object into eval() and it will run the code and return the result.

Although Python’s eval() is an incredibly useful tool, the function has some important security implications that you should consider before using it. In this course, you’ll learn how eval() works and how to use it safely and effectively in your Python programs.

In this course, you’ll learn about:

  • Using eval()
  • The differences between expressions and statements
  • The globals and locals parameters to eval()
  • The dangers of eval()
  • Writing programs with eval()

The code in this course was tested with Python 3.9.0, eval() has not changed much and older versions should be compatible.


Sample Code (.zip)

7.1 KB

Course Slides (.pdf)

1.1 MB

00:00 Welcome to Evaluate Expressions Dynamically With Python eval(). My name is Chris and I will be your guide. In this course, I’ll be introducing you to the built-in function eval().

00:11 You’ll be learning about the differences between expressions and statements in Python, how to use the globals and locals parameters to eval() and how they relate to other functions that compile Python, the dangers of using eval() and what you should avoid, and generally how to write programs using this built-in function.

00:32 A quick note, all the code samples here were tested using Python 3.9.0. As far as I’m aware, I’m not doing anything that probably wouldn’t go back to even the 2.0 days but if you run into a little weirdness, it might be a version problem.

00:47 eval() is a Python built-in function that evaluates an expression. Here’s a really simple example. eval() running "6 * 7".

00:58 6 * 7, in this case, is the Python code of 6 times 7, resulting in 42, which eval() returns. eval() only takes expressions.

01:09 Expressions are a subset of the Python language, so you can’t do everything with it.

01:15 Expressions only include code such as literals, names, attributes, operations, or functions. So, literals like 6, names like a variable, attributes like attributes of a class, operations like 6 * 7 as I showed you above, or functions that return a value are also allowed. eval() takes the expression, parses it, compiles it, evaluates the result, and then returns whatever that result is.

01:45 Here’s the signature for eval(). It takes the expression first, which is the string to evaluate or a pre-compiled code object similar to the "6 * 7" I just showed you, a dictionary containing global variables that are within scope in this expression, and another dictionary containing local variables that are in scope inside of this expression. You need to be very, very careful with eval() and even more careful with its cousin exec(). Both of these run arbitrary code, and you should never run code from untrusted sources.

02:21 Cleverly constructed user input can cause your code to run on behalf of the user in your environment. As a worst case scenario, it is possible to force eval() to cause rm -rf * to run on your machine, or for those in the Windows world, the equivalent of format C:. This is dangerous.

02:42 And as the symbols show below, this is as dangerous as a poison biotoxin fire running inside of an electrical transformer that is emitting radiation. eval() and exec() are powerful but as with most things that are powerful, if you’re not careful, you can really hurt yourself.

03:01 That’s enough vague and ominous threats. On to eval() in the next lesson.

Become a Member to join the conversation.