Python\u2019s eval() lets you turn a string into executable code at runtime. eval (“3 + 4”) returns 7, showcasing the language\u2019s expressiveness and flexibility. This dynamic evaluation powers simple calculators, configurable expression-driven systems, and lightweight code generation tools without building a custom parser. <\/p>\n\n\n\n
Use it carefully, though: executing untrusted strings is a serious security risk and can be mitigated by input validation, restricted globals, or safer alternatives like ast.literal_eval for simple literals.<\/p>\n\n\n\n
In this article, we will walk through everything you need to understand about python eval(). We will cover its syntax and three parameters, walk through practical code examples for different use cases, explain the security risks clearly and honestly, show you how to restrict its execution environment, and introduce the safer alternatives you should reach for first.<\/p>\n\n\n\n
\n The first parameter, expression, is required and must be a string containing a valid Python <\/a>expression. eval() accepts expressions that produce a value (for example, 3 + 4, len(“hello”), or x * 2). <\/p>\n\n\n\n It does not accept statements; passing a statement such as x = 5 or a for loop will raise a SyntaxError.<\/p>\n\n\n\n The second parameter, globals, is an optional dictionary that defines the global namespace available to the evaluated expression. If provided, it controls which global variables and functions the expression can access. If not provided, eval() uses the calling code\u2019s current global scope.<\/p>\n\n\n\n The third parameter, locals, is an optional dictionary (or mapping) that defines the local namespace for the evaluation. It works like globals but for local names. If locals is omitted, eval() uses the calling code\u2019s current local scope (or the globals dict if only two arguments are given).<\/p>\n\n\n\n If neither globals nor locals is passed, eval() executes the expression using the current global and local scope of the caller. <\/p>\n\n\n\n These namespace parameters are the main tool for restricting what the evaluated code can access and so are important for making eval() safer (for example, by supplying a limited globals dict or using safer alternatives like ast.literal_eval when appropriate).<\/p>\n\n\n\n Here it is rewritten as step-wise subheadings, with each step concise and clear.<\/p>\n\n\n\n Notes on usage and safety<\/p>\n\n\n\n Starting with the simplest use case makes the function’s behavior immediately clear.<\/p>\n\n\n\n Notice something important in the output of the first example: it returns an actual integer, not a string. It does not just interpret the expression visually. It fully evaluates it and returns the native Python type of the result. This is fundamentally different from simply printing a string that looks like a number.<\/p>\n\n\n\n When globals and locals are not specified, eval() has access to all variables in the current scope. This allows expressions to reference variables defined in the surrounding code.<\/p>\n\n\n\n The fact that it silently inherits the full current namespace when no globals or locals are provided is precisely what makes it dangerous with untrusted input, but also what makes it convenient for quick internal use cases.<\/p>\n\n\n\n \n Python\u2019s eval()<\/strong> function does much more than evaluate text\u2014it first compiles the supplied expression into Python bytecode<\/strong> and then executes it inside the current Python virtual machine. Because of this, the result is returned as a native Python object such as an integer<\/strong>, float<\/strong>, list<\/strong>, or other data type, rather than a string. While this makes eval()<\/strong> convenient for internal tools, calculators, and dynamic configuration expressions, it also makes it dangerous when used with untrusted input. Since eval() can access the current execution scope by default, improper use is one of the most common causes of remote code execution (RCE)<\/strong> vulnerabilities in Python applications.\n <\/p>\n<\/div>\n\n\n\n The second and third parameters give you explicit control over what the evaluated expression can see and access.<\/p>\n\n\n\n One of the most common legitimate uses of eval() is building a calculator that accepts mathematical expressions from users or configuration files:<\/p>\n\n\n\n For internal tools processing trusted input, eval() works well as a calculator alternative. The alternative is writing your own expression parser, which is significantly more work for the same result.<\/p>\n\n\n\n eval() is also useful when you need to evaluate expressions that are not known until runtime, such as those loaded from configuration files or generated by other parts of your program:<\/p>\n\n\n\n Configuration systems, templating engines, and developer tools occasionally require constructing and executing code at runtime. This pattern makes sense when the code comes from a controlled source, like a configuration file you wrote. It becomes dangerous when the input comes from users or external systems.<\/p>\n\n\n\n This is the section that every beginner must read carefully. eval() is one of the most dangerous functions in Python when used with untrusted input, and the risk is real, not theoretical.<\/p>\n\n\n\n While eval() is powerful, it carries risks. Never use eval() with untrusted input. If you let a user provide the string for eval(), they could type malicious code. This code could delete files from your system.<\/p>\n\n\n\n Here is a concrete example of what a malicious user could pass to an unprotected eval():<\/p>\n\n\n\n Python’s eval() automatically inserts a reference to the dictionary of builtins into globals before parsing the expression. A malicious user could exploit this behavior by using the built-in function _import__() to get access to dangerous system functionality.<\/p>\n\n\n\n When you genuinely need eval(), the globals and locals parameters are your primary defense mechanism.<\/p>\n\n\n\n Before reaching for eval(), consider these safer alternatives that cover most common use cases:<\/p>\n\n\n\n ast.literal_eval()<\/strong> is the best alternative when you need to parse Python data structures like lists, dictionaries, tuples, and strings from user input:<\/p>\n\n\n\n json.loads()<\/strong> is the right choice when parsing data that comes in JSON <\/a>format from APIs or configuration files:<\/p>\n\n\n\n The operator module<\/strong> is useful for dynamic mathematical operations without the security risk:<\/p>\n\n\n\n A common source of confusion for beginners is the difference between eval() and exec(). They are related but serve different purposes:<\/p>\n\n\n\n Use eval() when you need the result of an expression. Use exec() when you want to execute statements that have side effects like variable assignments or function definitions. Both carry similar security risks and both should be used with great caution.<\/p>\n\n\n\neval()<\/code> is a built-in Python function that takes a string containing a valid Python expression, interprets it as Python code, evaluates it, and returns the resulting value. It accepts an expression string along with optional globals<\/code> and locals<\/code> dictionaries that control the variables, functions, and objects accessible during evaluation. While eval()<\/code> can be useful for dynamically evaluating expressions, it should be used with caution because executing untrusted input can create serious security risks.\n <\/p>\n\n <\/div>\n\n<\/div>\n\n\n\nThe Syntax of Python eval()<\/strong><\/h2>\n\n\n\n
\n
\n
\n
\n
How eval() Actually Works Internally<\/strong><\/h2>\n\n\n\n
Step 1: Parse the string<\/strong><\/h3>\n\n\n\n
\n
Step 2: Compile to bytecode<\/strong><\/h3>\n\n\n\n
\n
Step 3: Execute the bytecode<\/strong><\/h3>\n\n\n\n
\n
Step 4: Return the result<\/strong><\/h3>\n\n\n\n
\n
\n
Basic Examples of eval()<\/strong><\/h2>\n\n\n\n
# Basic arithmetic expressions\n\nresult1 = eval(\"3 + 4\")\n\nprint(result1) # Output: 7\n\nprint(type(result1)) # Output: <class 'int'>\n\nresult2 = eval(\"10 * 2.5\")\n\nprint(result2) # Output: 25.0\n\nresult3 = eval(\"2 ** 8\")\n\nprint(result3) # Output: 256\n\n# String operations\n\nresult4 = eval(\"'Hello' + ' ' + 'World'\")\n\nprint(result4) # Output: Hello World\n\n# Boolean expressions\n\nresult5 = eval(\"5 > 3 and 10 < 20\")\n\nprint(result5) # Output: True\n\n# Using Python built-in functions inside eval\n\nresult6 = eval(\"len('Python')\")\n\nprint(result6) # Output: 6\n\nresult7 = eval(\"max(10, 25, 7, 18)\")\n\nprint(result7) # Output: 25<\/code><\/pre>\n\n\n\nUsing eval() With Variables in Scope<\/strong><\/h2>\n\n\n\n
x = 10\n\ny = 20\n\nz = 5\n\n# eval() can access variables from the current scope\n\nresult = eval(\"x + y * z\")\n\nprint(result) # Output: 110 (10 + 20*5 = 110)\n\n# Using variables in comparisons\n\nname = \"Alice\"\n\nresult2 = eval(\"name.upper() + ' is learning Python'\")\n\nprint(result2) # Output: ALICE is learning Python\n\n# Calling functions defined in the current scope\n\ndef square(n):\n\n return n ** 2\n\nresult3 = eval(\"square(x) + y\")\n\nprint(result3) # Output: 120 (100 + 20)<\/code><\/pre>\n\n\n\nUsing eval() With globals and locals<\/strong><\/h2>\n\n\n\n
# Providing specific variables through locals\n\nexec_locals = {'a': 10, 'b': 20}\n\nresult = eval(\"a * b\", {}, exec_locals)\n\nprint(result) # Output: 200\n\n# The expression cannot access variables outside exec_locals\n\nx = 999\n\ntry:\n\n result = eval(\"x + a\", {}, exec_locals)\n\nexcept NameError as e:\n\n print(f\"Error: {e}\")\n\n # Error: name 'x' is not defined\n\n# Providing math functions through globals\n\nimport math\n\nmath_globals = {\n\n \"sin\": math.sin,\n\n \"cos\": math.cos,\n\n \"pi\": math.pi,\n\n \"__builtins__\": {} # disable built-in functions\n\n}\n\nresult = eval(\"sin(pi \/ 2)\", math_globals)\n\nprint(result) # Output: 1.0\n\nresult2 = eval(\"cos(0)\", math_globals)\n\nprint(result2) # Output: 1.0<\/code><\/pre>\n\n\n\n\n
Practical Use of eval Case 1: A Dynamic Calculator<\/strong><\/h2>\n\n\n\n
def calculate(expression):\n\n allowed_chars = set(\"0123456789 +-*\/().**% \")\n\n # Basic validation: only allow safe characters\n\n if not all(c in allowed_chars for c in expression):\n\n raise ValueError(f\"Invalid characters in expression: {expression}\")\n\n # Restricted namespace: only math operations allowed\n\n safe_globals = {\"__builtins__\": {}}\n\n safe_locals = {\n\n \"abs\": abs,\n\n \"round\": round,\n\n \"pow\": pow,\n\n \"max\": max,\n\n \"min\": min,\n\n }\n\n try:\n\n result = eval(expression, safe_globals, safe_locals)\n\n return result\n\n except Exception as e:\n\n raise ValueError(f\"Could not evaluate expression: {e}\")\n\n# Testing the calculator\n\nexpressions = [\n\n \"2 + 3 * 4\",\n\n \"100 \/ 4 - 5\",\n\n \"2 ** 10\",\n\n \"abs(-42)\",\n\n \"round(3.14159, 2)\"\n\n]\n\nfor expr in expressions:\n\n print(f\"{expr} = {calculate(expr)}\")\n\nOutput:\n\n2 + 3 * 4 = 14\n\n100 \/ 4 - 5 = 20.0\n\n2 ** 10 = 1024\n\nabs(-42) = 42\n\nround(3.14159, 2) = 3.14<\/code><\/pre>\n\n\n\nPractical Use of eval Case 2: Dynamic Configuration and Runtime Code<\/strong><\/h2>\n\n\n\n
# Simulating a configuration system with dynamic expressions\n\nconfig = {\n\n \"discount_rate\": \"0.15\",\n\n \"tax_formula\": \"price * 0.08\",\n\n \"bonus_formula\": \"base_salary * 0.10 + 500\"\n\n}\n\n# Evaluate tax formula with a specific price\n\nprice = 200\n\ntax = eval(config[\"tax_formula\"])\n\nprint(f\"Tax on ${price}: ${tax}\") # Tax on $200: $16.0\n\n# Evaluate bonus formula\n\nbase_salary = 50000\n\nbonus = eval(config[\"bonus_formula\"])\n\nprint(f\"Bonus: ${bonus}\") # Bonus: $5500.0\n\n# Dynamic operation selection\n\ndef apply_operation(values_str, operation):\n\n values = eval(values_str) # e.g., \"[5, 2, 9, 1]\"\n\n result = eval(f\"{operation}({values_str})\")\n\n return result\n\nprint(apply_operation(\"[5, 2, 9, 1]\", \"max\")) # 9\n\nprint(apply_operation(\"[5, 2, 9, 1]\", \"min\")) # 1\n\nprint(apply_operation(\"[5, 2, 9, 1]\", \"sum\")) # 17<\/code><\/pre>\n\n\n\nThe Security Risk: Why eval() Can Be Dangerous<\/strong><\/h2>\n\n\n\n
# DANGEROUS: Never do this in production code\n\nuser_input = input(\"Enter expression: \")\n\nresult = eval(user_input) # SECURITY VULNERABILITY\n\nIf a user types any of the following, the results could be catastrophic:\n\n# User inputs that could cause serious damage:\n\n# Delete all files in current directory\n\n\"__import__('os').system('rm -rf *')\"\n\n# Read sensitive files from the system\n\n\"open('\/etc\/passwd').read()\"\n\n# Access environment variables containing secrets\n\n\"__import__('os').environ\"\n\n# Execute arbitrary shell commands\n\n\"__import__('subprocess').run(['ls', '-la'])\"<\/code><\/pre>\n\n\n\nHow to Restrict eval() for Safer Use<\/strong><\/h2>\n\n\n\n
import re\n\ndef safe_math_eval(expression):\n\n # Step 1: Validate input characters\n\n pattern = r'^[0-9\\s\\+\\-\\*\\\/\\%\\(\\)\\.\\*\\*]+$'\n\n if not re.match(pattern, expression):\n\n raise ValueError(\"Expression contains invalid characters\")\n\n # Step 2: Restrict namespace completely\n\n safe_globals = {\"__builtins__\": {}} # disable ALL built-ins\n\n safe_locals = {} # no variables allowed\n\n # Step 3: Evaluate in the restricted environment\n\n try:\n\n result = eval(expression, safe_globals, safe_locals)\n\n return result\n\n except ZeroDivisionError:\n\n raise ValueError(\"Division by zero\")\n\n except Exception as e:\n\n raise ValueError(f\"Invalid expression: {e}\")\n\n# Safe use\n\nprint(safe_math_eval(\"2 + 3 * 4\")) # 14\n\nprint(safe_math_eval(\"100 \/ 5\")) # 20.0\n\nprint(safe_math_eval(\"2 ** 8\")) # 256\n\n# Blocked dangerous inputs\n\ntry:\n\n safe_math_eval(\"__import__('os').system('ls')\")\n\nexcept ValueError as e:\n\n print(f\"Blocked: {e}\")<\/code><\/pre>\n\n\n\n\n
Safe Alternatives to eval()<\/strong><\/h2>\n\n\n\n
import ast\n\n# Safe: only parses literal Python structures\n\ndata = ast.literal_eval(\"[1, 2, 3, {'key': 'value'}]\")\n\nprint(data) # [1, 2, 3, {'key': 'value'}]\n\nprint(type(data)) # <class 'list'>\n\n# Also safe for numbers, strings, booleans\n\nnumber = ast.literal_eval(\"42\")\n\nprint(number) # 42\n\n# Cannot execute arbitrary code - this raises ValueError\n\ntry:\n\n ast.literal_eval(\"__import__('os').system('ls')\")\n\nexcept ValueError as e:\n\n print(f\"Safely blocked: {e}\")<\/code><\/pre>\n\n\n\nimport json\n\njson_data = '{\"name\": \"Alice\", \"age\": 30, \"scores\": [95, 87, 92]}'\n\ndata = json.loads(json_data)\n\nprint(data[\"name\"]) # Alice\n\nprint(data[\"scores\"]) # [95, 87, 92]<\/code><\/pre>\n\n\n\nimport operator\n\nops = {\n\n '+': operator.add,\n\n '-': operator.sub,\n\n '*': operator.mul,\n\n '\/': operator.truediv\n\n}\n\ndef calculate(a, op_symbol, b):\n\n if op_symbol not in ops:\n\n raise ValueError(f\"Unsupported operation: {op_symbol}\")\n\n return ops[op_symbol](a, b)\n\nprint(calculate(10, '+', 5)) # 15\n\nprint(calculate(10, '*', 3)) # 30<\/code><\/pre>\n\n\n\neval() vs exec(): Understanding the Difference<\/strong><\/h2>\n\n\n\n
# eval() evaluates EXPRESSIONS and RETURNS a value\n\nresult = eval(\"3 + 4\")\n\nprint(result) # 7\n\n# exec() executes STATEMENTS but returns None\n\nexec(\"x = 3 + 4\")\n\nprint(x) # 7 (x was set in the current namespace)\n\nprint(exec(\"3 + 4\")) # None\n\n# eval() raises SyntaxError for statements\n\ntry:\n\n eval(\"x = 10\") # Assignment is a statement, not expression\n\nexcept SyntaxError as e:\n\n print(f\"SyntaxError: {e}\")<\/code><\/pre>\n\n\n\nQuick Reference: When to Use and When to Avoid eval()<\/strong><\/h2>\n\n\n\n
\n