How safe is SymPy's sympify(<string>).evalf()?

问题

We know Python's eval() is evil

http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html

and threads throughout StackOverflow suggest to use SymPy's evalf().

As a Python newbie, I can't really convince myself that evalf() is safe as I lack the skills. Can anyone elaborate on what evalf() does (different)?

回答1:

There is nothing common between python eval and sympy evalf (the latter is for calculating the numeric value of sympy expression trees and it has nothing to do with parsing, while eval is all about parsing a string and evaluating it as if it is code).

On the other hand, sympify is just as dangerous as eval, because it actually uses eval.

There are two basic modes in which sympify is used and probably it is a bad idea that they got mixed in the same function:

• sympify(some_object) would return a representation of the object more suited for use in a CAS, like transforming int(1) into sympy.Integer(1)

• sympify("some_text") would parse the text almost directly through eval (search for the import from sympy.parsing present in sympify and follow it). It is safer as there are some constraints but it is not safe.

来源：https://stackoverflow.com/questions/16718644/how-safe-is-sympys-sympifystring-evalf