![image.png](attachment:image.png)

# EVAL and EXEC - Evaluating Expressions Dynamically

***






# Python eval()

Python’s eval() allows you to evaluate arbitrary Python expressions from a string-based or compiled-code-based input. This function can be handy when you’re trying to dynamically evaluate Python expressions from any input that comes as a string or a compiled code object.

Although Python’s eval() is an incredibly useful tool, the function has some important security implications that you should consider before using it. In this tutorial, you’ll learn how eval() works and how to use it safely and effectively in your Python programs.

## General Expression:

`eval(expression[, globals[, locals]])`


## The First Argument - expression

In [None]:
eval('2 * 8')

In [None]:
eval('1024 + 1024')

In [None]:
x = 100
eval('x**2')

In [None]:
number_1 = '2'
number_2 = '3'
operation = '*'
result = eval(f'{number_1}{operation}{number_2}')
result

### Expressions


A piece of syntax which can be evaluated to some value. In other words, an expression is an accumulation of expression elements like literals, names, attribute access, operators or function calls which all return a value. In contrast to many other languages, not all language constructs are expressions. There are also statements which cannot be used as expressions, such as while. Assignments are also statements, not expressions.

### Statements

A statement is part of a suite (a “block” of code). A statement is either an expression or one of several constructs with a keyword, such as if, while or for.


In [None]:
x = 100
eval('if x: print(x)')

eval() only accepts expressions.

Any other statement, such as if, for, while, import, def, or class, will raise an error.


In [None]:
eval('pi = 3.1416')

Assignment operations aren't valid either

In [None]:
eval('5 + 6 * ')

You can't violate python syntax.

## The second argument - globals

In [None]:
x = 100
eval('x+100')

In [None]:
y = 200
eval('x+y')

In [None]:
base_number = 100
exponent = 2

In [None]:
eval('x**y', {'x': base_number, 'y': exponent})

## The third argument - locals

In [None]:
x = 100
y = 2

In [None]:
eval('x**y',{}, {'x': x, 'y': y})

## An example

In [None]:
def function(a, b, condition):
    if eval(condition):
        return a+b
    return a-b


In [None]:
function(2, 4, 'a>b')

In [None]:
function(2, 4, 'a<b')

In [None]:
function(2, 2, 'a is b')



## Security Issues

Although it has an almost unlimited number of uses, Python’s eval() also has important security implications. eval() is considered insecure because it allows you (or your users) to dynamically execute arbitrary Python code.

This is considered bad programming practice because the code that you’re reading (or writing) is not the code that you’ll execute. If you’re planning to use eval() to evaluate input from a user or any other external source, then you won’t know for sure what code is going to be executed. That’s a serious security risk if your application runs in the wrong hands.

For this reason, good programming practices generally recommend against using eval(). But if you choose to use the function anyway, then the rule of thumb is to never ever use it with untrusted input. The tricky part of this rule is figuring out which kinds of input you can trust.

As an example of how using eval() irresponsibly can make your code insecure, suppose you want to build an online service for evaluating arbitrary Python expressions. Your user will introduce expressions and then click the Run button. The application will get the user’s input and pass it to eval() for evaluation.

This application will run on your personal server. Yes, the same server where you have all those valuable files. If you’re running a Linux box and the application’s process has the right permissions, then a malicious user could introduce a dangerous string like the following:

"__import__('subprocess').getoutput('rm –rf *')"

The above code would delete all the files in the application’s current directory. That would be awful, wouldn’t it?

When the input is untrusted, there’s no completely effective way to avoid the security risks associated with eval(). However, you can minimize your risk by restricting the execution environment of eval().

## Python exec()

The exec() method executes the dynamically created program, which is either a string or a code object.

exec(object, globals, locals)

In [None]:
x = 10
x

In [None]:
antecessor = eval('x-1')

In [None]:
antecessor

In [None]:
exec('successor = x+1')

In [None]:
successor