[Python-ideas] Any chance on (slowly) deprecating `eval` and `exec` as builtins?

Steven D'Aprano steve at pearwood.info
Tue Nov 7 21:26:22 EST 2017

On Tue, Nov 07, 2017 at 01:53:00PM -0800, Guido van Rossum wrote:
> On Tue, Nov 7, 2017 at 2:29 AM, אלעזר <elazarg at gmail.com> wrote:
> > The dangers of eval and exec are obvious and well known to advanced users,
> > but the availability as built-in functions makes it too tempting for
> > beginners or even medium-level programmers.
> >
> I find it dubious to claim that these functions are dangerous to beginners.

I don't think its so much that eval/exec are in themselves dangerous 
to beginners as that their easy availability as builtins encourages bad 
habits that can last long after the programmer is no longer a beginner.

I know the Python ecosystem is not quite the wild west as PHP and 
Javascript sometimes is, but code injection attacks do exist:



Sometimes they're written by beginners whose code isn't being reviewed 
carefully enough, and sometimes they're written by experienced coders 
who have simply learned bad habits and haven't learned better.

I don't want to scare people away from using eval/exec, but it would be 
great if we could gently encourage them to think before using them, and 
to prefer literal_eval instead.


More information about the Python-ideas mailing list