Evaluating a string expression

Hi Everyone,

I would like to know how would I evaluate a string expression in python.
For example, if i say:
>>> a = "3*2"
I want to do something to evaluate the variable 'a' to give me 6. How
can I do this?

Thanks
Mkhanyisi
_______________________________________________
Tutor maillist  -  Tutor@...
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor

> I would like to know how would I evaluate a string expression in python.
> For example, if i say:
>>>> a = "3*2"
> I want to do something to evaluate the variable 'a' to give me 6. How
> can I do this?
>

I think the "eval" built-in function is what you're after:

>>> a = "3*2"
>>> eval(a)
6

http://docs.python.org/library/functions.html
_______________________________________________
Tutor maillist  -  Tutor@...
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor

Thanks!

2009/11/5 Serdar Tumgoren <zstumgoren@...> _______________________________________________
Tutor maillist  -  Tutor@...
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor

Mkhanyisi Madlavana wrote:
> Hi Everyone,
>
> I would like to know how would I evaluate a string expression in python.
> For example, if i say:
>>>> a = "3*2"
> I want to do something to evaluate the variable 'a' to give me 6. How
> can I do this?

I'm afraid that your question doesn't pass the basic "Have I Googled it?"
test. I stuck "evaluate a string expression in python" into Google and got:

http://www.google.co.uk/#q=evaluate+a+string+expression+in+python

Does any of that help?

TJG
_______________________________________________
Tutor maillist  -  Tutor@...
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor

> I'm afraid that your question doesn't pass the basic "Have I Googled it?"
> test. I stuck "evaluate a string expression in python" into Google and got:
>
> http://www.google.co.uk/#q=evaluate+a+string+expression+in+python
>
That search turns up a useful tutorial by effbot:

http://effbot.org/zone/librarybook-core-eval.htm

It covers the basics of how to safely use eval if the data is coming
from an untrusted source. Might be worth a look depending on your use
case.
_______________________________________________
Tutor maillist  -  Tutor@...
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor

[snip]
> I would like to know how would I evaluate a string expression in python.
> For example, if i say:
>>>> a = "3*2"
> I want to do something to evaluate the variable 'a' to give me 6. How
> can I do this?
[/snip]

The eval() function can do this:

   eval("3*2")

WARNING: Long winded security rant below...

Be *very* careful what strings you pass to eval(). It is executing
code! If you're doing this in a controlled environment it's not a
problem. If this is part of a bigger program which is going to be used
by other people, perhaps even online, this is a potentially *huge*
security risk. You will either have to very carefully parse the users
input to control what they can and cannot do, or better, strictly
control what the kernel permits the process to do. This includes what
hardware resources (memory/processor time) the process is allowed.
This way, even if (when) the process is hijacked, the damage will be
very limited.

Such a feat is accomplished by having the program execute as a user
who has very limited permissions. This is something best (only?) done
on UNIX/Linux/BSD flavored systems. This could be done via a setuid
binary, or a *carefully written* root process which immediately
demotes its privilege level upon execution/spawning of children. (Such
a model is employed by programs like apache's httpd server, where one
process is root owned and does nothing but spawn lesser privileged
processes to handle untrusted data.) If this is something you're
interested in, the os module features functions like, 'setuid()',
'setgid()', and notably 'chroot()'. For further security yet, you
might look into isolating a process from the rest of the system, as is
the case with FreeBSD's jails.

These are really big topics and in the end, it really depends on what
'untrusted source' constitutes, and your operating environment.
Writing bulletproof code in regards to security is challenging. It is
a very specialized topic worthy of further study. But in most
situations executing code from an untrusted source is a *really* bad
idea, even with precautions as those outlined in the example URL
provided by one of the other responses.
(http://effbot.org/zone/librarybook-core-eval.htm)

Sorry for all the lecture. I'll shut up now. :p
-Modulok-
_______________________________________________
Tutor maillist  -  Tutor@...
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor

"Modulok" <modulok@...> wrote

And these are valid warnings which begs the question what are the
alternatives?

If your string forms a well defined pattern you can parse the string into
its components - an arithmetic calculation in the example and execute it
that way.
There are Python modules/tools available to help create such parsers and if
you are dealing with well defined input that is probably the safest
approach.

Use eval() only if you know that the input cannot be malicious (or
accidentally bad)
code.

HTH,

--
Alan Gauld
Author of the Learn to Program web site
http://www.alan-g.me.uk/ 


_______________________________________________
Tutor maillist  -  Tutor@...
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor

On Fri, Nov 6, 2009 at 3:34 AM, Alan Gauld <alan.gauld@...> wrote:
Python 2.6 includes the ast.literal_eval() function which will
evaluate literal expressions:
http://docs.python.org/library/ast.html#ast.literal_eval

This is a bit too limited for the OP however.

The Python Cookbook has several examples of safe eval functions that
work by parsing an expression and evaluating the parse tree, only
allowing specific types of nodes. For example this one which does
allow arithmetic expressions:
http://code.activestate.com/recipes/286134/

Kent
_______________________________________________
Tutor maillist  -  Tutor@...
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor

[snip] ...
[/snip]

>From the article: http://code.activestate.com/recipes/286134/

"Also, it should be noted that a malicious user can still for example
cause the expression to take vast amounts of memory by inputting
something like '100100100100100**100...'. There is no way to really
prevent this from within Python, without making the expression
limitations too restrictive."

Just thinking aloud here for a moment: I wonder if it would be
reasonably possible to put the eval() step into a sub-process, with
the dispatcher process timing execution and killing the subprocess if
it consumes too much time/memory. ...of course the problem there, is
the sub-process runs at the same permission level, so if it is
hijacked it could potentially kill its parent first :S I think the
root-owned dispatcher, spawning lesser privileged processes, is the
only 'secure' way in regards to protecting the system from a denial of
service attack through an infinite variety of simply expressed, but
computationally intractable, expressions. The war between security and
ease of use (implementation in this case) wages onward.

-Modulok-
_______________________________________________
Tutor maillist  -  Tutor@...
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor