I have a situation with some code where
eval() came up as a possible solution. Now I have never had to use
eval() before but, I have come across plenty of information about the potential danger it can cause. That said, I’m very wary about using it.
My situation is that I have input being given by a user:
datamap = raw_input('Provide some data here: ')
datamap needs to be a dictionary. I searched around and found that
eval() could work this out. I thought that I might be able to check the type of the input before trying to use the data and that would be a viable security precaution.
datamap = eval(raw_input('Provide some data here: ') if not isinstance(datamap, dict): return
I read through the docs and I am still unclear if this would be safe or not. Does eval evaluate the data as soon as its entered or after the
datamap variable is called?
.literal_eval() the only safe option?
datamap = eval(raw_input('Provide some data here: ')) means that you actually evaluate the code before you deem it to be unsafe or not. It evaluates the code as soon as the function is called. See also the dangers of
ast.literal_eval raises an exception if the input isn’t a valid Python datatype, so the code won’t be executed if it’s not.
ast.literal_eval whenever you need
eval. You shouldn’t usually evaluate literal Python statements.