Home/ Questions/Q 518263
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T07:55:09+00:00

I’ve seen this multiple times in multiple places, but never have found a satisfying

  • 0

I’ve seen this multiple times in multiple places, but never have found a satisfying explanation as to why this should be the case.

So, hopefully, one will be presented here. Why should we (at least, generally) not use exec() and eval()?

EDIT: I see that people are assuming that this question pertains to web servers – it doesn’t. I can see why an unsanitized string being passed to exec could be bad. Is it bad in non-web-applications?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are often clearer, more direct ways to get the same effect. If you build a complex string and pass it to exec, the code is difficult to follow, and difficult to test.

    Example: I wrote code that read in string keys and values and set corresponding fields in an object. It looked like this: 

    for key, val in values:
    fieldName = valueToFieldName[key]
    fieldType = fieldNameToType[fieldName]
    if fieldType is int:
        s = 'object.%s = int(%s)' % (fieldName, fieldType) 
    #Many clauses like this...

exec(s)

    That code isn’t too terrible for simple cases, but as new types cropped up it got more and more complex. When there were bugs they always triggered on the call to exec, so stack traces didn’t help me find them. Eventually I switched to a slightly longer, less clever version that set each field explicitly.

    The first rule of code clarity is that each line of your code should be easy to understand by looking only at the lines near it. This is why goto and global variables are discouraged. exec and eval make it easy to break this rule badly.

    • 0