459

How do I execute a string containing Python code in Python?

SilentGhost
  • 287,765
  • 61
  • 300
  • 288
hekevintran
  • 21,514
  • 29
  • 106
  • 174
  • 8
    To be fair, unlike the other question, this one isn't a duplicate. And others have posted much more basic questions than this. – DNS Mar 31 '09 at 16:25
  • 14
    The correct answer, of course, is almost always “don't!”. – bobince Mar 31 '09 at 16:28
  • 26
    @S. Lott: Haven't read the FAQ recently? "It's also perfectly fine to ask and answer your own programming question, but pretend you're on Jeopardy: phrase it in the form of a question". This is not a bad question. +1 – Devin Jeanpierre Mar 31 '09 at 17:48
  • @Devin Jeanpierre: I'm not happy with "SO is my blog" kinds of pseudo-questions. How do you separate folks who really need help from folks who are blogging from folks who won't even try to write their own code. – S.Lott Mar 31 '09 at 19:52
  • 59
    @S.Lott: You don't. You don't need to. If the question isn't on the site already, then it's fair game (according to the FAQ, as already pointed out). Just answer every question as though the OP needs help. They might not, but the next guy who reads their question probably will. Just my 2 cents. – Bill the Lizard Apr 02 '09 at 18:13
  • 2
    To all you saying not to do it: I have a case where I absolutely need to. It involves distributed processing. – sudo Aug 01 '16 at 08:23
  • This is abusive, but not because he's asking and answering his own question, it's abusive because it's a deceptive manipulation of what they're saying when they say `it's explicitly encouraged to ask and answer your own question`. That is explicitly calling out hard to solve problems that you struggled with and can't find an answer to by searching for it. It's not saying to use StackOverflow as a blog. Using it as such, while maybe not against the rules because of the way they worded `it's perfectly ok` makes you technically not wrong, this is definitely exploitative of the words nonetheless. – searchengine27 Feb 15 '17 at 17:05
  • Hi, hekevintran! Would you consider to accept an answer? [allan's one](https://stackoverflow.com/a/14926430/2989289) could help me in my search – artu-hnrq May 02 '20 at 03:21

14 Answers14

430

For statements, use exec(string) (Python 2/3) or exec string (Python 2):

>>> mycode = 'print "hello world"'
>>> exec(mycode)
Hello world

When you need the value of an expression, use eval(string):

>>> x = eval("2+2")
>>> x
4

However, the first step should be to ask yourself if you really need to. Executing code should generally be the position of last resort: It's slow, ugly and dangerous if it can contain user-entered code. You should always look at alternatives first, such as higher order functions, to see if these can better meet your needs.

Helen
  • 71,797
  • 10
  • 199
  • 256
Brian
  • 113,117
  • 28
  • 106
  • 111
  • 1
    but how about the scope of the code executed by 'exec'? is it nested? – jondinham Mar 06 '12 at 10:24
  • 27
    A common case where someone wants to use 'exec' is something like `if s=='foo': x.foo = 42 elif s=='bar': x.bar = 42` etc, which they may then write as `exec ("x.%s = 42" % s)`. For this common case (where you only need to access an object's attribute that is stored in a string), there is a much faster, cleaner and safer function `getattr`: just write `getattr(x, s) = 42` to mean the same thing. – ShreevatsaR Apr 19 '12 at 19:18
  • 7
    How is exec any slower than the python interpreter? – Cris Stringfellow Feb 06 '13 at 16:36
  • 7
    @ShreevatsaR don't you mean `setattr(x, s, 42)`? I tried `getattr(x, 2) = 42` and it failed with `can't assign to function call: , line 1` – Tanner Semerad Oct 11 '13 at 17:44
  • 7
    @Tanner: Hmm. Yes indeed `setattr(x, s, 42)` is the right syntax. Surprised it took so long for that error to be caught. Anyway, the point is that `getattr` and `setattr` are an alternative to `exec` when all you want is to get an arbitrary member, looked up by string. – ShreevatsaR Oct 11 '13 at 19:01
  • My usecase is allowing some debugging/admin access to a web service. – Sergey Orshanskiy Oct 02 '14 at 19:24
  • One legitimate use of the exec function I have found is when I define custom magics in iPython Notebook. The input to the magic function is a string representation of the code in the line or cell of the magic. After doing whatever "magic" the magic should do, you need to execute the code. – Gordon Bean Dec 03 '14 at 18:19
  • 1
    @CrisStringfellow slower because it has to recompile every time – Erik Aronesty Jul 08 '15 at 20:29
  • I don't recommend using exec() function because it cannot change local variables, which could cause faults. Please see https://www.sololearn.com/Discuss/1336429/exec-doesn-t-work-with-local-variables-in-function-python f – Z.LI Apr 26 '21 at 14:41
84

In the example a string is executed as code using the exec function.

import sys
import StringIO

# create file-like string to capture output
codeOut = StringIO.StringIO()
codeErr = StringIO.StringIO()

code = """
def f(x):
    x = x + 1
    return x

print 'This is my output.'
"""

# capture output and errors
sys.stdout = codeOut
sys.stderr = codeErr

exec code

# restore stdout and stderr
sys.stdout = sys.__stdout__
sys.stderr = sys.__stderr__

print f(4)

s = codeErr.getvalue()

print "error:\n%s\n" % s

s = codeOut.getvalue()

print "output:\n%s" % s

codeOut.close()
codeErr.close()
hekevintran
  • 21,514
  • 29
  • 106
  • 174
  • 3
    swapping out stdout and stderr like that make me very nervous. this looks like it could cause huge security problems. is there a way around that? – Narcolapser May 23 '11 at 13:33
  • 3
    @Narcolapser you should be mych more concerned with using `exec` at all (unless you _know_ the code string comes from a trusted source). – bruno desthuilliers Dec 02 '19 at 17:00
34

eval and exec are the correct solution, and they can be used in a safer manner.

As discussed in Python's reference manual and clearly explained in this tutorial, the eval and exec functions take two extra parameters that allow a user to specify what global and local functions and variables are available.

For example:

public_variable = 10

private_variable = 2

def public_function():
    return "public information"

def private_function():
    return "super sensitive information"

# make a list of safe functions
safe_list = ['public_variable', 'public_function']
safe_dict = dict([ (k, locals().get(k, None)) for k in safe_list ])
# add any needed builtins back in
safe_dict['len'] = len

>>> eval("public_variable+2", {"__builtins__" : None }, safe_dict)
12

>>> eval("private_variable+2", {"__builtins__" : None }, safe_dict)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<string>", line 1, in <module>
NameError: name 'private_variable' is not defined

>>> exec("print \"'%s' has %i characters\" % (public_function(), len(public_function()))", {"__builtins__" : None}, safe_dict)
'public information' has 18 characters

>>> exec("print \"'%s' has %i characters\" % (private_function(), len(private_function()))", {"__builtins__" : None}, safe_dict)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "<string>", line 1, in <module>
NameError: name 'private_function' is not defined

In essence you are defining the namespace in which the code will be executed.

Sergey Orshanskiy
  • 6,474
  • 1
  • 44
  • 48
alan
  • 2,950
  • 1
  • 31
  • 34
  • 12
    It is not possible to make eval safe: [Eval really is dangerous](http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html). If you take code from me and eval it, I can segfault your Python program. Game over. – Ned Batchelder Feb 18 '13 at 04:20
  • @NedBatchelder: this is no more dangerous than anything. in your link `rm /rf` is mentioned. so should we say that bash is dangerous because we can also do that ? the only problem is elevation attacks. But we care not about this if the script is not a remote service (i.e. if it is just something executed by you). – v.oddou Jan 13 '15 at 03:41
  • 5
    @v.oddou I was responding to alan's statement, "eval and exec .. can be used in a safe manner." This is false. If someone said, "bash can be used in a safe manner," that would also be false. Bash is dangerous. It is a necessary danger, but dangerous nevertheless. Claiming that eval can be made safe is simply wrong. – Ned Batchelder Jan 13 '15 at 15:10
  • 1
    @NedBatchelder yes indeed. and the link you point to is good material. with power comes responsibility, so the point is simply to be aware of the potential power of eval. and if we decide that power=danger. – v.oddou Jan 14 '15 at 02:08
  • 4
    @NedBatchelder Many pieces of code written in Python can be dangerous as well, but why are you assuming that `eval` or `exec` are intended to be used as `exec(input("Type what you want"))`? There are many cases where a program may write a procedure or a function as a result of a computation; resulting functions will be as safe and as fast (once evaluated) as any other part of a good and well-written program. _An unsafe program containing `exec` is not more dangerous than an unsafe program doing the damage by itself as `exec` doesn't give any new privilege to the program._ – Thomas Baruchel Nov 16 '16 at 10:46
  • 1
    @ThomasBaruchel again, my point is to counter the notion that eval or exec can be made safe. In particular, this answer claims that controlling the globals and locals will make it possible to use them safely. That is false. Any time you use exec and eval, you have to know precisely what code is being executed. If you don't, then you are open to dangerous operations. – Ned Batchelder Nov 16 '16 at 23:10
22

Remember that from version 3 exec is a function!
so always use exec(mystring) instead of exec mystring.

Remi Guan
  • 20,142
  • 17
  • 60
  • 81
bheks
  • 283
  • 3
  • 2
15

Avoid exec and eval

Using exec and eval in Python is highly frowned upon.

There are better alternatives

From the top answer (emphasis mine):

For statements, use exec.

When you need the value of an expression, use eval.

However, the first step should be to ask yourself if you really need to. Executing code should generally be the position of last resort: It's slow, ugly and dangerous if it can contain user-entered code. You should always look at alternatives first, such as higher order functions, to see if these can better meet your needs.

From Alternatives to exec/eval?

set and get values of variables with the names in strings

[while eval] would work, it is generally not advised to use variable names bearing a meaning to the program itself.

Instead, better use a dict.

It is not idiomatic

From http://lucumr.pocoo.org/2011/2/1/exec-in-python/ (emphasis mine)

Python is not PHP

Don't try to circumvent Python idioms because some other language does it differently. Namespaces are in Python for a reason and just because it gives you the tool exec it does not mean you should use that tool.

It is dangerous

From http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html (emphasis mine)

So eval is not safe, even if you remove all the globals and the builtins!

The problem with all of these attempts to protect eval() is that they are blacklists. They explicitly remove things that could be dangerous. That is a losing battle because if there's just one item left off the list, you can attack the system.

So, can eval be made safe? Hard to say. At this point, my best guess is that you can't do any harm if you can't use any double underscores, so maybe if you exclude any string with double underscores you are safe. Maybe...

It is hard to read and understand

From http://stupidpythonideas.blogspot.it/2013/05/why-evalexec-is-bad.html (emphasis mine):

First, exec makes it harder to human beings to read your code. In order to figure out what's happening, I don't just have to read your code, I have to read your code, figure out what string it's going to generate, then read that virtual code. So, if you're working on a team, or publishing open source software, or asking for help somewhere like StackOverflow, you're making it harder for other people to help you. And if there's any chance that you're going to be debugging or expanding on this code 6 months from now, you're making it harder for yourself directly.

Community
  • 1
  • 1
Caridorc
  • 3,691
  • 27
  • 40
  • 1
    "my best guess is that you can't do any harm if you can't use any double underscores" - You could construct a string containing double underscores, and then call eval that string. – Stanley Bak Oct 11 '16 at 16:11
  • good advice, unless you are writing a code generator, or job runner or similar ... which most people here are probably doing. – Erik Aronesty May 03 '19 at 12:59
  • 1
    I have to import a relative path from a config-file (`cfg.yaml`): `reldir : ../my/dir/ `, and `reldir = cfg[reldir]`. However, as this python code shall run on both Windows and Linux, I need this to adjust to the different operating systems path dividers; either `\\ ` or `/`. So I use `reldir : os.path.join('..','my','dir')` in the config file. But this only results in `reldir` being this literal string, not being evaluated, so I cannot open a file in `reldir`. Do you have a suggestion? – Marie. P. Mar 11 '20 at 14:18
  • Uhm, no. These are highly pythonic. What do you think a REPL is? – Blaze Oct 17 '20 at 20:30
13

eval() is just for expressions, while eval('x+1') works, eval('x=1') won't work for example. In that case, it's better to use exec, or even better: try to find a better solution :)

Jérôme Verstrynge
  • 55,046
  • 88
  • 271
  • 437
LGB
  • 139
  • 1
  • 2
10

It's worth mentioning, that' exec's brother exist as well called execfile if you want to call a python file. That is sometimes good if you are working in a third party package which have terrible IDE's included and you want to code outside of their package.

Example:

execfile('/path/to/source.py)'

or:

exec(open("/path/to/source.py").read())

user1767754
  • 21,126
  • 14
  • 125
  • 152
9

You accomplish executing code using exec, as with the following IDLE session:

>>> kw = {}
>>> exec( "ret = 4" ) in kw
>>> kw['ret']

4
octopusgrabbus
  • 10,250
  • 13
  • 64
  • 126
gus
  • 99
  • 1
  • 2
8

As the others mentioned, it's "exec" ..

but, in case your code contains variables, you can use "global" to access it, also to prevent the compiler to raise the following error:

NameError: name 'p_variable' is not defined

exec('p_variable = [1,2,3,4]')
global p_variable
print(p_variable)
Minions
  • 4,334
  • 3
  • 40
  • 79
6

I tried quite a few things, but the only thing that worked was the following:

temp_dict = {}
exec("temp_dict['val'] = 10") 
print(temp_dict['val'])

output:

10

paul-shuvo
  • 1,772
  • 3
  • 31
  • 37
5

Use eval.

Pablo Santa Cruz
  • 170,119
  • 31
  • 233
  • 283
5

Check out eval:

x = 1
print eval('x+1')
->2
ryeguy
  • 63,287
  • 56
  • 190
  • 257
1

Ok .. I know this isn't exactly an answer, but possibly a note for people looking at this as I was. I wanted to execute specific code for different users/customers but also wanted to avoid the exec/eval. I initially looked to storing the code in a database for each user and doing the above.

I ended up creating the files on the file system within a 'customer_filters' folder and using the 'imp' module, if no filter applied for that customer, it just carried on

import imp


def get_customer_module(customerName='default', name='filter'):
    lm = None
    try:
        module_name = customerName+"_"+name;
        m = imp.find_module(module_name, ['customer_filters'])
        lm = imp.load_module(module_name, m[0], m[1], m[2])
    except:
        ''
        #ignore, if no module is found, 
    return lm

m = get_customer_module(customerName, "filter")
if m is not None:
    m.apply_address_filter(myobj)

so customerName = "jj" would execute apply_address_filter from the customer_filters\jj_filter.py file

Brian
  • 186
  • 1
  • 10
1

The most logical solution would be to use the built-in eval() function .Another solution is to write that string to a temporary python file and execute it.

John T
  • 23,207
  • 11
  • 54
  • 82