5

I am having issues with executing a multi-line string with the python eval function/

code = ''' 

def main():
  print "this is a test"

main()

'''

eval(code)

Traceback (most recent call last):
  File "<pyshell#12>", line 1, in <module>
    eval(code)
  File "<string>", line 3
    def main():
      ^
SyntaxError: invalid syntax
John Galt
  • 487
  • 1
  • 5
  • 11
  • 1
    Using `eval` is usually not recommended. Why are you trying to do this? – kylieCatt Jun 05 '15 at 16:38
  • Possible duplicate of http://stackoverflow.com/questions/12698028/why-is-pythons-eval-rejecting-this-multiline-string-and-how-can-i-fix-it – Scott Jun 05 '15 at 16:39
  • IanAuld I am writing an automatic python grader which first must execute code received by a GET Request on a Flask Server – John Galt Jun 05 '15 at 16:41
  • 2
    @JohnGalt: so you want to execute **arbitrary code** sent to you from a web client? That's a security breach waiting to happen, whatever the user sends can easily take over your web process. – Martijn Pieters Jun 05 '15 at 16:43
  • I know, but I'll have a protection system against file manipulation and sql injections and other security breaches. – John Galt Jun 05 '15 at 16:45
  • Also it is in a Virtual Environment. – John Galt Jun 05 '15 at 16:45
  • Better duplicate: [What's the difference between eval, exec, and compile in Python?](http://stackoverflow.com/q/2220699/369450) – Uyghur Lives Matter Jun 05 '15 at 16:55
  • Does this answer your question? [What's the difference between eval, exec, and compile?](https://stackoverflow.com/questions/2220699/whats-the-difference-between-eval-exec-and-compile) – SuperStormer Nov 07 '21 at 01:55

1 Answers1

9

eval can only evaluate Python expressions, not statements. A function definition is a statement, not an expression.

Use exec to execute Python statements.

See the Top-level components document, which differentiates (among others) between file input and expression input:

file_input ::=  (NEWLINE | statement)*

This syntax is used in the following situations:

[...]

  • when parsing a string passed to the exec statement;

and

[...] The string argument to eval() must have the following form:

eval_input ::=  expression_list NEWLINE*

Do NOT use this to execute untrusted user-supplied text. eval() and exec are not guarded against malicious users, and they can and will take over the web process if you use this.

In fact, there is no 'safe' way to ever do this, other than running the code in a throw-away virtual machine with all services firmly bolted shut. Run a new virtual machine for new code, throw away the whole VM when done or after a timeout.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
  • Can I still store the evaluation of the code with exec? – John Galt Jun 05 '15 at 16:39
  • 1
    I'd like to add that what you're trying to do sounds a bit like bad design, unless you really know what you're doing. But who knows what John Galt is up to? – Marcus Müller Jun 05 '15 at 16:39
  • @JohnGalt: an expression has a value, a statement doesn't need to. For example, a function `def` doesn't have a value, it just defines the function (then there's a entry in the local namespace that has a value, namely a `Callable`, but that's another thing!) – Marcus Müller Jun 05 '15 at 16:40
  • @JohnGalt: That's the reason it's called `eval`: it can *evaluate* the value of expressions. Things that don't have values can't be `eval`ed, and, even if you could, wouldn't have a value. – Marcus Müller Jun 05 '15 at 16:41