eval
can only evaluate Python expressions, not statements. A function definition is a statement, not an expression.
Use exec
to execute Python statements.
See the Top-level components document, which differentiates (among others) between file input and expression input:
file_input ::= (NEWLINE | statement)*
This syntax is used in the following situations:
[...]
- when parsing a string passed to the
exec
statement;
and
[...] The string argument to eval()
must have the following form:
eval_input ::= expression_list NEWLINE*
Do NOT use this to execute untrusted user-supplied text. eval()
and exec
are not guarded against malicious users, and they can and will take over the web process if you use this.
In fact, there is no 'safe' way to ever do this, other than running the code in a throw-away virtual machine with all services firmly bolted shut. Run a new virtual machine for new code, throw away the whole VM when done or after a timeout.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…