Mastering Python’s eval(): How It Works, Uses, and Security Risks

What is eval in Python?

The eval function evaluates a string as a Python expression. Its syntax is eval(expression, globals=None, locals=None), where expression is a string, globals is an optional dictionary of global names, and locals is an optional dictionary of local names.

How eval works

When called, eval parses the expression, compiles it to bytecode, evaluates the bytecode, and returns the result.

Basic examples

num = "23"
float_num = "53.332"
complex_num = "2+3j"
str1 = "Not number"
print(eval(num), type(eval(num)))
print(eval(float_num), type(eval(float_num)))
print(eval(complex_num), type(eval(complex_num)))
print(eval(str1), type(eval(str1)))

The first three calls convert the string to an int, float, and complex number; the last call raises a SyntaxError because the string is not a valid Python expression.

Evaluating mathematical expressions

expr = "(2+(3*2))/2"
print(eval(expr))  # 4.0

Using globals

num1 = 100  # a global variable
print(eval("num1 + 100", {"num1": num1}))
num2 = 200
print(eval("num1 + num2", {"num1": num1, "num2": num2}))
print(eval("num1 + num2", {"num1": num1}))  # raises NameError

Using locals

print(eval("sum([a, 2, 2])", {}, {"a": 2}))  # 6

Restricting built‑ins

print(eval('abs(-1)', {"__builtins__": None}, {"abs": abs}))  # 1

Security considerations

The eval function can execute arbitrary code, which makes it unsafe for untrusted input. For example, a malicious user could run __import__('subprocess').getoutput('rm -rf *') to delete files on the server.

To mitigate risks, avoid eval when possible, or tightly control the globals and locals dictionaries so that only safe functions (e.g., abs, min, sum) are available.