Tip 87 Do Not eval(); It Is Evil

Pythonic Programming — by Dmitry Zinoviev (100 / 116)

👈 Assert Conditions | TOC | Parse with literal_eval() 👉

★★2.7, 3.4+ The built-in function eval(expr) is the most misused and dangerous function in the Python standard library. The function takes the string expr and evaluates it as a Python expression. Essentially, eval is a Python interpreter in disguise. You can construct Python expressions on the fly and immediately evaluate them:

​ message = ​'Hello, world!'​
​ command = ​'print(message)'​
​ eval(command)
​ ​# You could have typed the command at the prompt!​
​=> ​Hello, world!​

What could go wrong? Imagine that the command was not produced by your program by a carefully constructed algorithm but was entered by the user. For example, say you develop a program that allows users to calculate arithmetic expressions:

​ command = input(​'Enter the expression you would like to calculate: '​)
​ eval(f​'print({command})'​)
​<= 1+1
​=> ​2​

Seeing how it works, the user becomes somewhat naughty.
!!! DO NOT ATTEMPT TO RUN THIS CODE FRAGMENT !!! THIS FUNCTION WILL DELETE ALL YOUR FILES AND DIRECTORIES !!!

​<= os.system('rm -rf /')
​=> ​0​

The 0 displayed at the command prompt confirms your worst expectations: the user just removed the content of your root directory (or…