RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://www.geeksforgeeks.org/python/difference-between-eval-and-ast-literal-eval-in-python/ below:

Difference Between eval() and ast.literal_eval() in Python

Last Updated : 23 Jul, 2025

Python provides multiple ways to evaluate expressions and convert data from one format to another. Two commonly used methods are eval() and ast.literal_eval(). While they might appear similar, they serve very different purposes and have significant security implications. This article explores the key differences between eval() and ast.literal_eval(), their use cases, security concerns and best practices.

What is eval()?

eval() is a built-in Python function that parses and evaluates expressions passed as a string. It can handle a wide variety of inputs, including arithmetic expressions, function calls, and even arbitrary code execution.

Syntax of eval()

eval(expression, globals=None, locals=None)

expression: A string representing the Python expression to evaluate.
globals: A dictionary representing the global namespace.
locals: A dictionary representing the local namespace.

Example:

Python


 exp = "2 + 3" # expression

res = eval(exp)
print(res)

Explanation: In this example, eval() evaluates the string "2 + 3" and returns the result 5.

Key Features of eval()

Powerful: It can evaluate any valid Python expression, including arithmetic operations, list comprehensions, function calls, and more.
Dynamic Execution: eval() allows execution of Python code dynamically at runtime.
Flexible: It can execute complex code beyond simple expressions, including conditionals, loops, and even function definitions.
Security Risk: Since eval() can execute arbitrary code, it poses serious security vulnerabilities if used with untrusted input.

What is ast.literal_eval?

ast.literal_eval() is a function from Python's ast (Abstract Syntax Tree) module. It safely evaluates a string containing a Python literal or a container object. Unlike eval(), it only processes basic literals like strings, numbers, lists, tuples, dictionaries, booleans, and None. It raises an error if the input contains anything beyond these, making it significantly safer.

Syntax of ast.literal_eval()

import ast
ast.literal_eval(node_or_string)

node_or_string: A string containing a Python literal to be evaluated.

What is Abstract Syntax Tree (AST)?

The Abstract Syntax Tree (AST) is a representation of source code structure. It breaks down the syntax into a tree-like format where each node represents a component of the syntax. The ast module provides access to Python’s AST and literal_eval() ensures that only safe literals are evaluated. Example:

Python


 import ast

# Converting a string representation of a list to an actual list
s = "[1, 2, 3, 4]"
res = ast.literal_eval(s)
print(res)

Explanation: In this example, ast.literal_eval() converts the string representation of a list into an actual list.

How does ast.literal_eval() work?

ast.literal_eval() parses the string into an AST syntax tree and verifies that it contains only valid literals. If an unsafe operation (such as function calls or execution commands) is found, it raises an exception. Example:

Python


 import ast

# Safe string evaluation
safe_expression = '{"name": "Aditya", "age": 24}'
res = ast.literal_eval(safe_expression)
print(res)

# Unsafe expression (raises ValueError)
unsafe_expression = "os.system('rm -rf /')"

try:
    res = ast.literal_eval(unsafe_expression)
except ValueError as e:
    print("Error:", e)

Output

{'name': 'Aditya', 'age': 24}
Error: malformed node or string on line 1: <ast.Call object at 0x7f27f021e2d0>

Explanation: ast.literal_eval() safely evaluates only literals (strings, numbers, tuples, lists, dicts, booleans, None). It converts a JSON-like string into a dictionary and prevents arbitrary code execution by raising a ValueError for unsafe expressions.

Key Features of ast.literal_eval()

Safe: It only evaluates literals, which ensures that no arbitrary code is executed, reducing the risk of security vulnerabilities.
Limited scope: It can only parse Python literals and does not evaluate arbitrary expressions or function calls.
Ideal for data parsing: It is commonly used when you need to safely convert a string representation of a Python literal into its corresponding data type, such as when reading data from JSON-like formats.

Key difference between eval() and ast.literal_eval Feature eval() ast.literal_eval Purpose Evaluate arbitrary Python expressions and code. Safely evaluate Python literals like strings, numbers, lists, etc. Security Unsafe, as it can execute arbitrary code. Safe, as it only evaluates literals and raises an error for non-literal expressions. Scope Can evaluate any valid Python code, including function calls and loops. Only evaluates simple data structures and literals. Use Cases Dynamic code execution, real-time expression evaluation. Parsing input that represents basic Python data types safely. Performance Slower due to dynamic nature and broad functionality. Faster since it only evaluates literals. Error Handling May silently execute malicious code if not handled properly. Raises an error if the input isn't a valid Python literal. When to Use eval() and ast.literal_eval()

Use eval(): When you need to evaluate expressions dynamically, and you can ensure that the input is safe and trustworthy.
Use ast.literal_eval(): When you need to safely convert a string representation of a basic Python literal into its corresponding data structure. It’s ideal for deserializing input from external sources, such as APIs, user forms, or configuration files, where safety is a concern.

Security Implications and Best Practices

Never use eval() on untrusted input (e.g., user input, data from APIs, or external files) to prevent code injection attacks.
Prefer ast.literal_eval() for safely evaluating string-based data into Python objects.
Consider safer alternatives like json.loads() or yaml.safe_load() for structured data formats.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4