[Tutor] What Eval() Hath Men Wrought
magnus at thinkware.se
Fri Jun 18 06:54:38 EDT 2004
At 18:34 2004-06-17 -0800, Tim Johnson wrote:
><gr>Couldn't resist that subject since I hear
>the eval (the built-in) is 'evil'. </gr>
>I've been looking through the Python Cookbook, and
>there's an example at
> class Eval:
> # ...... code following
>This appears to be a handy class, but given the concerns about
>built-in function eval, I would welcome comments and caveats.
As I see it, there are some problems with eval()
- It's slow, e.g. eval('5') is about ten times slower than int('5').
- It might cause unpredicted results unless you are certain about
what you run eval on. This isn't really a problem if you only run
eval on hardcoded strings in your source code as the Cookbook
example does. In some programs eval could cause security problems.
For instance, an attacker might be able to display passwords stored
in program variables etc.
- It makes it more difficult to analyse the code, for instance with
some automatic tool such as PyChecker or PyLint. (Or manually for
- Debugging get's harder. You might hide syntax errors until runtime
etc. I imagine tracebacks are less helpful too.
Besides, I'm not really sure that
print "%(text.capitalize())s %(number/9.0).1f rules!" % Eval()
is better than
print "% %.1f rules!" % (text.capitalize(), number/9.0)
This is some kind of ASP syndrome, and it seems to me that most
programmers seem to agree that mixing code in text as in ASP or
as in the Eval example typically causes maintenance problems.
Whether we're talking about web pages or something else, we'll
often want to separate the maintenace of the text from the
maintenance of the code. I often do things similar to:
params = dict(capText=text.capitalize(), verNumber=number/9.0)
print "%(capText)s %(verNumber).1f rules!" % params()
or even something like
print "%(capText)s %(verNumber).1f rules!" % vars()
but it might be even better to use a real templating system
such as cheetah etc. See
Eval might look neat, but I think you will end up missing
the syntax coloring of your python statements if you put
them in strings, and that it will turn out to be trickier
to find bugs.
Magnus Lycka (It's really Lyckå), magnus at thinkware.se
Thinkware AB, Sweden, www.thinkware.se
I code Python ~ The Agile Programming Language
More information about the Tutor