Jump to content

eval

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Eurleif (talk | contribs) at 20:35, 23 October 2007 (Python: The globals and locals arguments to eval do not make it secure. Builtins are still accessible, and so on.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

In some programming languages, eval is a function which evaluates a string as though it were an expression and returns a result; in others, it executes multiple lines of code as though they had been included instead of the line including the eval.

Eval-like functions are more common in interpreted languages than in compiled languages, since including one in a compiled language would require including an interpreter or compiler with the program, and more runtime information (such as variable names). Some compiled languages do have something similar to an eval function, see below.

Security risks

Special care must be taken when using eval with data from an untrusted source. For instance, assuming that the get_data() function gets data from the Internet, this Python code is insecure:

data = get_data()
foo = eval(data)

An attacker could supply the program with the string "delete_system_files()" as data, which would result in the program calling the delete_system_files() function. To remedy this, all data which will be used with eval must be escaped, or it must be run without access to potentially harmful functions.

Uses

A call to eval is sometimes used by inexperienced programmers for all sorts of things. In most cases, there are alternatives which are more flexible and do not require the speed hit of parsing code.

For instance, eval is sometimes used for a simple mail merge facility, as in this PHP example:

$name = 'John Doe';
$greeting = 'Hello';
$template = '"$greeting,  $name! How can I help you today?"';
print eval("return $template;")

Although this works, it can cause some security problems (see security risks), and will be much slower than other possible solutions. A faster and more secure solution would be simply replacing the text "$name" with the name.

Eval is also sometimes used in applications needing to evaluate math expressions, such as spreadsheets. This is much easier than writing an expression parser, but finding or writing one would often be a wiser choice. Besides the fixable security risks, using the language's evaluation features would most likely be slower, and wouldn't be as customizable.

Perhaps the best use of eval is in bootstrapping a new language (as with Lisp), and in language tutor programs which allow users to run their own programs in a controlled environment.

Implementation

In interpreted languages, eval is almost always implemented with the same interpreter as normal code. In compiled languages, the same compiler used to compile programs may be embedded in programs using the eval function; separate interpreters are sometimes used, though this results in code duplication.

Programming languages

JavaScript

In JavaScript, eval is something of a hybrid between an expression evaluator and a statement executor. It returns the last expression evaluated (all statements are expressions in both Javascript & ActionScript), and allows the final semicolon to be left off.

Example as an expression evaluator:

foo = 2;
alert(eval('foo + 2'));

Example as a statement executor:

foo = 2;
eval('foo = foo + 2;alert(foo);');

One use of Javascript's eval is to parse JSON text, perhaps as part of an Ajax framework.

See also [1], [2].

For mathematical functions and constants see [3].

ActionScript

In ActionScript (Flash's programming language), eval can not be used to evaluate arbitrary expressions. According to the Flash 8 documentation, its usage is limited to expressions which represent "the name of a variable, property, object, or movie clip to retrieve. This parameter can be either a String or a direct reference to the object instance." [4]

Lisp

Lisp was the original language to make use of an eval function. In fact, definition of the eval function led to the first implementation of the language interpreter.

Before the eval function was defined, Lisp functions were manually compiled to assembly language statements. However, once the eval function had been manually compiled it was then used as part of a simple read-eval-print loop which formed the basis of the first Lisp interpreter.

Later versions of the Lisp eval function have also been implemented as compilers.

The eval function in Lisp expects a form to be evaluated and executed as argument. The return value of the given form will be the return value of the call to eval.

Now let us see some Lisp code:

; A form which calls the + function with 1,2 and 3 as arguments.
; It returns 6.
(+ 1 2 3)
; In lisp any a form is meant to be evaluated, therefore 
; the call to + was performed. 
; We can prevent Lisp from performing evaluation  
; of a form by prefixing it with "'", for example:
(setq form1 '(+ 1 2 3))
; Now form1 contains a form that can be used by eval, for
; example:
(eval form1)
; eval evaluated (+ 1 2 3) and returned 6.

Lisp is well known to be very flexible and so is the eval function. If for example we would like to evaluate the content of a string, we would first have to convert the string into a Lisp form using the read-from-string function and then to pass the resulting form to eval, like this:

(eval (read-from-string "(format t \"Hello World!!!~%\")"))

Perl

Perl's eval operator serves as its exception trapping mechanism. Thus a block of code can be tested and then warned against, if necessary. For example, a run-time error "$@" in say, a division operation, can write a warning, as below, for if there were no warning, $@ would be empty:

   # make divide-by-zero nonfatal
   eval { $answer = $a / $b; }; warn $@ if $@;

PHP

In PHP, eval executes code in a string almost exactly as if it had been put in the file instead of the call to eval(). The only exception is that errors are reported as coming from a call to eval(), and return statements become the result of the function.

Example using echo:

<?php
$foo = "Hello, world!\n";
eval("echo $foo;");
?>

Example returning a value:

<?php
$foo = "Goodbye, world!\n";  //does not work in PHP5
echo eval("return $foo;");
?>

PostScript

PostScript's exec operator takes an operand - if it is a simple literal it pushes it back on the stack. If one takes a string containing a PostScript expression however, one can convert the string to an executable which then can be executed by the interpreter, for example:

((Hello World) =) cvx exec

converts the PostScript expression

(Hello World) =

which pops the string "Hello World" off the stack and displays it on the screen, to have an executable type, then is executed.

PostScript's run operator is similar in functionality but instead the interpreter interprets PostScript expressions in a file, itself.

Python

In Python, the eval function in its simplest form evaluates a single expression.

eval example (interactive shell):

>>> x = 1
>>> eval('x + 1')
2
>>> eval('x')
1

The eval function takes two optional arguments, global and locals, which allow the programmer to set up a restricted environment for the evaluation of the expression.

The exec statement executes statements:

exec example (interactive shell):

>>> x = 1
>>> y = 1
>>> exec "x += 1; y -= 1"
>>> x
2
>>> y
0

The most general form for evaluating statements/expressions is using code objects. Those can be created by invoking the compile() function and by telling it what kind of input it has to compile: an "exec" statement, an "eval" statement or a "single" statement:

compile example (interactive shell):

>>> x = 1
>>> y = 2
>>> eval (compile ("print 'x + y = ', x + y", "compile-sample.py", "single"))
x + y =  3

ColdFusion

ColdFusion's evaluate function lets you evaluate a string expression at runtime.

<cfset x = "int(1+1)">
<cfset y = Evaluate(x)>

It is particularly useful when you need to programatically choose the variable you want to read from.

<cfset x = Evaluate("queryname.#columnname#[rownumber]")>

REALbasic

In REALbasic, there is a class called RBScript which can execute REALbasic code at runtime. RBScript is very sandboxed -- only the most core language features are there, you have to allow it access to things you want it to have. You can optionally assign an object to the context property. This allows for the code in RBScript to call functions and use properties of the context object. However, it is still limited to only understanding the most basic types, so if you have a function that returns a Dictionary or MySpiffyObject, RBScript will be unable to use it. You can also communicate with your RBScript through the Print and Input events.

Ruby

The Ruby language interpreter offers an eval function similar to Python or Perl, and also allows a scope, or binding, to be specified.

Aside from specifying a function's binding, eval may also be used to evaluate an expression within a specific class definition binding or object instance binding, allowing classes to be extended with new methods specified in strings.

 a = 1
 eval('a + 1') #  (evaluates to 2)
 
 # evaluating within a context
 def getBinding(a)
   return binding
 end
 eval('a+1',getBinding(3)) # (evaluates to 4, because 'a' in the context of getBinding is 3)
 class Test; end
 Test.class_eval("def hello; return 'hello';end") # add a method 'hello' to this class
 Test.new.hello                    # evaluates to "hello"

Ruby additionaly provides a convenient shorthand for evaluating elements of a string literal. In double-quoted strings literals, any characters enclosed in an #{} will be evaluated in the current scope, and the returned valued will be substituted for the #{}. For example:

 "#{class NewClass; def test; "Hello"; end; end}"
 a = NewClass.new
 print "#{a.test} There!"

Will display the message: Hello There!

FORTH

Most of standart implementation of FORTH has 2 variants of Eval: EVALUATE & INTERPRET. Win32FORTH code example:

 S" 2 2 + ." EVALUATE / Outputs "4"

Command line interpreters

Windows PowerShell

In Windows PowerShell, the Invoke-Expression Cmdlet serves the same purpose as the eval function in programming languages like JavaScript, PHP and Python. The Cmdlet runs any Windows PowerShell expression that is provided as a command parameter in the form of a string and outputs the result of the specified expression. Usually, the output of the Cmdlet is of the same type as the result of executing the expression. However, if the result is an empty array, it outputs $null. In case the result is a single-element array, it outputs that single element. Similar to JavaScript, Windows PowerShell allows the final semicolon to be left off.

Example as an expression evaluator:

PS> $foo = 2
PS> invoke-expression '$foo + 2'

Example as a statement executor:

PS> $foo = 2
PS> invoke-expression '$foo += 2; $foo'