In the book that I am reading on Python, it keeps using the code eval(input(\'blah\'))
I read the documentation, and I understand it, but I still do no
I'm late to answer this question but, no one seems to give clear answer to the question.
If an user enters a numeric value, input()
will return a string.
>>> input('Enter a number: ')
Enter a number: 3
>>> '3'
>>> input('Enter a number: ')
Enter a number: 1+1
'1+1'
So, eval()
will evaluate returned value (or expression) which is a string and return integer/float.
>>> eval(input('Enter a number: '))
Enter a number: 1+1
2
>>>
>>> eval(input('Enter a number: '))
Enter a number: 3.14
3.14
Of cource this is a bad practice. int()
or float()
should be used instead of eval()
in this case.
>>> float(input('Enter a number: '))
Enter a number: 3.14
3.14
eval()
evaluates the passed string as a Python expression and returns the result. For example, eval("1 + 1")
interprets and executes the expression "1 + 1"
and returns the result (2).
One reason you might be confused is because the code you cited involves a level of indirection. The inner function call (input) gets executed first so the user sees the "blah" prompt. Let's imagine they respond with "1 + 1" (quotes added for clarity, don't type them when running your program), the input function returns that string, which is then passed to the outer function (eval) which interprets the string and returns the result (2).
Read more about eval here.
In Python 2.x input(...)
is equivalent to eval(raw_input(...))
, in Python 3.x raw_input
was renamed input
, which I suspect lead to your confusion (you were probably looking at the documentation for input
in Python 2.x). Additionally, eval(input(...))
would work fine in Python 3.x, but would raise a TypeError
in Python 2.
In this case eval
is used to coerce the string returned from input
into an expression and interpreted. Generally this is considered bad practice.
Lots of good answers here, but none describe the use of eval()
in the context of its globals
and locals
kwargs, i.e. eval(expression, globals=None, locals=None)
(see docs for eval
here).
These can be used to limit the functions that are available through the eval
function. For example if you load up a fresh python interpreter the locals()
and globals()
will be the same and look something like this:
>>>globals()
{'__loader__': <class '_frozen_importlib.BuiltinImporter'>, '__doc__': None,
'__spec__': None, '__builtins__': <module 'builtins' (built-in)>,
'__package__': None, '__name__': '__main__'}
There are certainly functions within the builtins
module that can do significant damage to a system. But it is possible to block anything and everything we don't want available. Let's take an example. Say we want to construct a list to represent a domain of the available cores on a system. For me I have 8 cores so I would want a list [1, 8]
.
>>>from os import cpu_count
>>>eval('[1, cpu_count()]')
[1, 8]
Likewise all of __builtins__
is available.
>>>eval('abs(-1)')
1
Ok. So there we see one function we want exposed and an example of one (of many that can be much more complex) method that we do not want exposed. So let's block everything.
>>>eval('[1, cpu_count()]', {'__builtins__':None}, {})
TypeError: 'NoneType' object is not subscriptable
We have effectively blocked all of the __builtins__
functions and as such brought a level of protection into our system. At this point we can start to add back in functions that we do want exposed.
>>>from os import cpu_count
>>>exposed_methods = {'cpu_count': cpu_count}
>>>eval('cpu_count()', {'__builtins__':None}, exposed_methods)
8
>>>eval('abs(cpu_count())', {'__builtins__':None}, exposed_methods)
TypeError: 'NoneType' object is not subscriptable
Now we have the cpu_count
function available while still blocking everything we do not want. In my opinion, this is super powerful and clearly from the scope of the other answers, not a common implementation. There are numerous uses for something like this and as long as it is handled correctly I personally feel eval
can be safely used to great value.
N.B.
Something else that is cool about these kwargs
is that you can start to use shorthand for your code. Let's say you use eval as part of a pipeline to execute some imported text. The text doesn't need to have exact code, it can follow some template file format, and still execute anything you'd like. For example:
>>>from os import cpu_count
>>>eval('[1,cores]', {'__builtins__': None}, {'cores': cpu_count()})
[1, 8]
The eval function lets a Python program run Python code within itself.
eval example (interactive shell):
>>> x = 1
>>> eval('x + 1')
2
>>> eval('x')
1
eval()
interprets a string as code. The reason why so many people have warned you about using this is because a user can use this as an option to run code on the computer. If you have eval(input())
and os
imported, a person could type into input()
os.system('rm -R *')
which would delete all your files in your home directory. (Assuming you have a unix system). Using eval()
is a security hole. If you need to convert strings to other formats, try to use things that do that, like int()
.