In some programming languages, eval is a function which evaluates a string as though it were an expression and returns a result; in others, it executes multiple lines of code as though they had been included instead of the line including the eval.

Eval-like functions are more common in interpreted languages than in compiled languages, since including one in a compiled language would require including an interpreter or compiler with the program, and more runtime information (such as variable names). Some compiled languages do have something similar to an eval function, see below.

Security risks

Special care must be taken when using eval with data from an untrusted source. For instance, assuming that the get_data() function gets data from the Internet, this Python code is insecure:

data = get_data()
foo = eval(data)

An attacker could supply the program with the string "delete_system_files()" as data, which would result in the program calling the delete_system_files() function. To remedy this, all data which will be used with eval must be escaped, or it must be run without access to potentially harmful functions.

Uses

A call to eval is sometimes used by inexperienced programmers for all sorts of things. In most cases, there are alternatives which are more flexible and do not require the speed hit of parsing code.

For instance, eval is sometimes used for a simple mail merge facility, as in this PHP example:

$name = 'John Doe';
$greeting = 'Hello';
$template = '"$greeting,  $name! How can I help you today?"';
print eval("return $template;")

Although this works, it can cause some security problems (see security risks), and will be much slower than other possible solutions. A faster and more secure solution would be simply replacing the text "$name" with the name.

Eval is also sometimes used in applications needing to evaluate math expressions, such as spreadsheets. This is much easier than writing an expression parser, but finding or writing one would often be a wiser choice. Besides the fixable security risks, using your language's evaluation features would most likely be slower, and wouldn't be as customizable.

Perhaps the best use of eval is in bootstrapping a new language (as with Lisp), and in language tutor programs which allow users to run their own programs in a controlled environment.

Implementation

In interpreted languages, eval is almost always implemented with the same interpreter as normal code. In compiled languages, the same compiler used to compile programs may be embedded in programs using the eval function; separate interpreters are sometimes used, though this results in code duplication .

Programming languages

JavaScript

In JavaScript, eval is something of a hybrid between an expression evaluator and a statement executor. It returns the last expression evaluated (all statements are expressions in Javascript), and allows the final semicolon to be left off.

Example as an expression evaluator:

foo = 2;
alert(eval('foo + 2'));

Example as a statement executor:

foo = 2;
eval('foo = foo + 2;alert(foo);');

Lisp

Lisp was the original language to make use of an eval function. In fact definition of the eval function led to the first implementation of the language interpreter. Before the eval function was defined, Lisp functions were manually compiled to assembly language statements. However once the eval function had been manually compiled it was used as part of a simple input-interpret-output loop which formed the basis of the first Lisp interpreter. Later versions of the Lisp eval function have also been implemented as compilers.

PHP

In PHP, eval executes code in a string almost exactly as if it had been put in the file instead of the call to eval(). The only exceptions are that errors are reported as coming from a call to eval(), and return statements become the result of the function.

Example using echo:

<?php
$foo = "Hello, world!\n";
eval('echo $foo;');
?>

Example returning a value:

<?php
$foo = "Goodbye, world!\n";
echo eval('return $foo;');
?>

PostScript

PostScript's exec operator takes an operand - if it is a simple literal it pushes it back on the stack. If one takes a string containing a PostScript expression however, one can convert the string to an executable which then can be executed by the interpreter, for example:

((Hello World) =) cvx exec

converts the PostScript expression

(Hello World) =

which pops the string "Hello World" off the stack and displays it on the screen, to have an executable type, then is executed.

PostScript's run operator is similar in functionality but instead the interpreter interprets PostScript expressions in a file, itself.

Python

In Python, the eval() function evaluates a single expression. It cannot execute statements, but can execute functions which execute statements. The exec statement executes statements.

Eval example (interactive shell):

>>> x = 1
>>> eval('x + 1')
2
>>> eval('x')
1

Exec example (interactive shell):

>>> x = 1
>>> y = 1
>>> exec "x = x + 1;y = y - 1"
>>> x
2
>>> y
0

REALbasic

In REALbasic, there is a class called RBScript which can execute code very similar to ordinary REALbasic code. Its code can access a special object which is assigned to one of the RBScript object's properties, but it can't access variables from the function which calls it.