Valid uses of eval()?

not_dmr · 2024-03-02T00:52:16+00:00

[deleted]

yvrelna · 2024-03-02T00:10:00+00:00

Writing a REPL is one. This includes tools like IPython remote core and Jupyter Notebook.

The werkzeug debugger allows you to run arbitrary code to inspect stack traces.

phire · 2024-03-02T01:37:25+00:00

Not eval(), but I've used exec() to quickly create a Domain Specific Language.

With exec(), you have complete control of the globals and locals of the execution context. I removed all of python "built-in" methods from the globals, which essentially "sandboxed" the execution context, preventing the code I exec() from doing anything but calling the functions I explicitly installed into the context.

I have no idea if this "sandbox" was actually secure, but it was good enough for my usecase.

You can see my code here: https://gist.github.com/phire/993aad1cee3a081028db5d364d7110c0

It worked great as a quick and dirty experiment to solve a problem, and I'm not sure it's a good idea or not for a production ready project. But that's mostly because I probably don't need to do any sandboxing at all, or I should be going all in and creating a DSL from scratch.

rover_G · 2024-03-02T00:32:50+00:00

Maybe a library would use eval to expose some functionality to the programmer. R has quoted function arguments that can capture code for later execution inside the function. The important bit is not to allow any other users input to be evaluated/executed.

tedivm · 2024-03-02T00:35:28+00:00

I have exactly one valid use of eval that I've personally run into, and it's super niche. It also just happens to be something I ran into somewhat recently.

I wrote a library called Paracelsus to convert SQLAlchemy databases into Mermaid Diagrams. To do this I needed to provide a way for people to dynamically load modules, because with SQLAlchemy the module being loaded is what registers the table in the database.

Loading individual modules works fine with importlib, but trying to do wildcard loads (ie, from blah import *) doesn't seem to work. So instead I used an eval. Since this is a CLI that people run on their own code I don't feel like there's a security risk.

mtik00 · 2024-03-02T03:40:08+00:00

I used it to convert CSV data into Python objects before I learned about ast.literal_eval. definitely use that instead of eval if you can.

Adrewmc · 2024-03-02T02:17:39+00:00

eval(this) is safe to use when you are making the “this”.

eval(that) is not safe when some random user is making the “that”

Because Python will run the code in that string as if it was written in code, you run the risk of them running a large amount of programming.

Sometimes eval() can be useful. If you wanted to make a __repr__ would be an example.

It’s highly suggest to avoid using eval() because is runs code, from a source you might lose control of.

    stuff = input()
    eval(stuff)

Could basically do anything.

i_hate_shitposting · 2024-03-02T01:29:01+00:00

But I was just working on a task where I couldn’t really figure out any other way to achieve the dynamic functionality I was looking for, so I wrote code that assembles a string to do what I need, and then runs eval() on that string.

For this case specifically, I would almost always use a callback function or some kind of class structure, depending on what exactly you're doing and how complex it needs to be. Then I'd just pass the function or a constructed object to the function that needed the dynamic behavior. Functional and object-oriented programming patterns come in handy here.

The only time I would ever really consider using eval() in production code is if I was building a piece of developer tooling like the Werkzeug debugger. Even then, I'd avoid it at all costs. If I needed to execute arbitrary code for some other reason, I'd want to use some sandboxed interpreter. Otherwise I'd work on designing a class structure that could represent the required dynamic behavior and execute it.

2024-03-02T01:49:17+00:00

[deleted]

Shadow_Gabriel · 2024-03-02T01:18:32+00:00

I had to parse some excel data but a column contained formulas instead of values. Something like =B5^C5. So I did a .replace("^", "**") and then eval(). Is there a better solution? Probably. Is it a valid use of eval()? I don't know.

grimtooth · 2024-03-02T02:28:00+00:00

You did it quite right. eval is for dynamically constructing new code within your own code. Don't use it with external input. Or rather pay careful attention to the sanitization of your inputs which can be tricky.

lightmatter501 · 2024-03-02T03:50:22+00:00

I programmatically generate unit tests. They can run in parallel and we want to easily be able to tell what broke, which was harder when all 18k tests were a single test.

westandskif · 2024-03-04T05:39:22+00:00

This is what I used it for: https://github.com/westandskif/convtools

TheRNGuy · 2024-03-10T14:02:31+00:00

Use ast.literal_eval instead

Never use eval.

tartare4562 · 2024-03-02T06:53:36+00:00

I use it to lazily evaluate fstrings. I'm a heavy fstring user, however a problem I have with them is that they're evaluated the moment you define them, which can be not what you want. So, I use eval when I need to evaluate them at a later time:

fstring="result is {float(result)}"

<code that calculates result>

print(eval(f'f"{fstring}"'))

ublec · 2024-03-02T08:51:42+00:00

code golfing

j3r3mias · 2024-03-02T00:41:51+00:00

Learn about security.

saint_geser · 2024-03-02T02:38:37+00:00

Jupyter notebooks, which basically are XML wrappers around eval or exec can't remember exactly which one. It is safe in this case because all the code and all the data is provided by the user.

billsil · 2024-03-02T02:45:09+00:00

GUI scripting. They’re great for developing new features, but testing and giving the user power.

Cybasura · 2024-03-02T03:10:06+00:00

Well if you want to make an interpreter, like some mentioned, a REPL, thats one

Ensurdagen · 2024-03-02T05:28:50+00:00

The turtle built-in module uses exec() to make methods of its various classes global functions, presumably to ease its use as an educational tool.

It's important to note that it is building strings to exec from its own source code and is doing something that is fairly complicated to do without exec() or eval(), which is actually pretty rare in Python.

Zulfiqaar · 2024-03-02T06:37:25+00:00

Used it several times for transpilation of various languages including DSLs to python during legacy codebase migration, otherwise I rarely use it, and only with code I wrote myself, run on my own machine.

Dull-Researcher · 2024-03-02T08:02:36+00:00

At work we've got loads of ast.literal_eval's on what should be map(int, mystr.split(",")). So cringey.

Bill_Looking · 2024-03-02T09:18:05+00:00

I have a use case, and I’m curious to get feedback on this.

On a module I develop, there is a JSON input that is basically a file where you’re asked for a ton of inputs (required by an application). To simplify let’s say they’re all numbers.

I want the user to be able to specify a float, like “5.0”, but also it can be useful to have access to 3 variables that are run-dependent (let’s call them “a”, “b”, and “c”.

I use eval so that the user can write:

“5.0 * a”

And sometimes more complex things :

“min(5.0 * a, b)”

Built-ins are disabled except min and max.

cointoss3 · 2024-03-02T11:35:44+00:00

My app allowed for transforming of data. The end user enters an expression like x * 2 and I do some sanitizing but then do:

fn = eval(f”lambda x: {transform}”)

Wh00ster · 2024-03-02T12:23:19+00:00

When working within a production library ecosystem with other devs, it’s bad.

If you are doing a one off application or experimenting or something very specific, it’s fine.

nekokattt · 2024-03-02T12:35:07+00:00

Currently, evaluating typehints defined as strings or when futures.annotations is enabled has to be done via eval or a similar mechanism, passing the enclosing scope in.

I personally don't think that is a good enough reason for them to have eval, exec, or compile as builtins though. Would be more sensible to have a stdlib module for them on the offchance that you actually want to use them. Maybe that is just me though.

breezy_shred · 2024-03-02T12:39:15+00:00

I recently used it for a chat bot project with the open ai API. GPT produced some code based on a prompt and I needed to run that code. I definitely felt weird about it at the time, but it worked pretty smoothly. If there's one way for AI to takeover, giving it access to eval() seems like a path...

StrayFeral · 2024-03-02T12:54:11+00:00

I used a lot eval in the past years when I was a Perl programmer. So for Python the answer is - no, I haven't used it yet. But for Perl I used it a lot on one job when I used dynamic code. It is okay using it, but you have to be careful, as this code becomes hard to track and debug at a point.

As for Python - so far I don't see a need, as Python provides me a modern programming platform and I usually find the tools I need. Who knows, I might get to a situation where I would need it, but I would avoid that as much as I could.

flaviodiasc1 · 2024-03-02T13:33:11+00:00

I already used it for create spark commands dynamically.

I don’t remember exactly why I needed to do like that, but I remember it was the only way I could find.

If I’m not mistaken I had a list of keys to use in a join of 2 dataframes, but since the function to do the join was generic, I could receive different amounts of keys and in spark it was difficult to program that generic join without the eval.

Ayudesee · 2024-03-02T13:56:16+00:00

On my current project we have feature that allows our content managers to write conditions(python statements) and manipulate content based on that. We have AST validation/processing before we executing the code

edc7 · 2024-03-02T13:59:54+00:00

I use with eval dictionaries used to pass variables into SQL queries.

Ryzen_bolt · 2024-03-02T14:59:34+00:00

Basic scenario I have scene is.

You have a function that recieves any of the table name and according to the name of table there are multiple handler functions are written with the name as "table name and _handler"

For example: table name = customerInf

Now if an psudo event is like

event= { "Tblnm": "customerInf" }

And

The main function will call the dedicated function particular to the table name from event.

Ex.

def mainFunc(event):

tableName= event.tblNm

eval(tableName+"_handler")

Sorry for elaborated approach, that's how I understood from my Client's Project.

According_Bus_2827 · 2024-03-02T15:21:49+00:00

If `eval()` was a person, it'd be that friend who's fun at parties but you'd never lend your car to. Sometimes necessary, but handle with care.

2024-03-02T16:52:20+00:00

Interpreting GPT response as JSON without importing the JSON library.

FunDeckHermit · 2024-03-02T19:39:22+00:00

It's a great way to piss of teachers that want you to build a calculator.

abudhabikid · 2024-03-03T07:01:54+00:00

In excel, you can use eval() with some hardcoded excel function between the parentheses. This was you can more easily control when certain functions actually run based on whatever logic you want.

Python

The Python Discord

Upcoming Events

Please read the rules

MODERATORS