Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does eval() exist?

Many programmers say it is a bad practice to use the eval() function:

When is JavaScript's eval() not evil?

I'd like to take a moment to address the premise of your question - that eval() is "evil"...

Is this eval() dangerous?

Buggy evaled code can violate security properties just as easily as buggy source code...

Why not eval() JSON?

There are a number of ways that your security may be compromised...

Is there ever a good reason to use eval()?

Yes - when there is no other way to accomplish the given task with a reasonable level of clarity... This eliminates 99% of cases where eval is used...

Why is eval unsafe in javascript?

The danger of eval only rears its ugly head when you are serving a script written by alice to user bob for bob's browser to eval...


So why does it exist in the first place?

like image 857
auroranil Avatar asked Feb 01 '12 01:02

auroranil


People also ask

What is the purpose of the eval () method?

The eval() function evaluates JavaScript code represented as a string and returns its completion value.

What is the purpose of eval in Python?

Python's eval() allows you to evaluate arbitrary Python expressions from a string-based or compiled-code-based input. This function can be handy when you're trying to dynamically evaluate Python expressions from any input that comes as a string or a compiled code object.

Why you shouldn't use eval in Python?

Since the eval() function will evaluate any Python expressions, the hacker can easily get a list of files and folders on the server. To be honest, you probably will be fired if the above string is really evaluated by the eval() function.

Why is it bad to use eval?

Malicious code : invoking eval can crash a computer. For example: if you use eval server-side and a mischievous user decides to use an infinite loop as their username. Terribly slow : the JavaScript language is designed to use the full gamut of JavaScript types (numbers, functions, objects, etc)… Not just strings!


2 Answers

Because sometimes there is a need. All the same reasons for/against using eval in JavaScript can likely be shared with the use of reflection in Java, for example.

However, I agree with everything you quoted in your question. Many reasons for using it are ill-advised, and best done differently - but sometimes, there is still a need, or it is simply the "best choice" over other available alternatives. (I'd focus on the answers to Is there ever a good reason to use eval()? for additional reasons.)

+1 to your question for good research.

like image 128
ziesemer Avatar answered Oct 13 '22 07:10

ziesemer


eval() exists because sometimes you want to give complete programmatic control of your application to code passed in at run time.

Languages without an eval() feature can definitely provide (a subset? all?) of this functionality by asking each programmer to essentially write their own eval() -- lex the input, parse the input, create new objects as necessary, run methods or functions on them via simple string comparisons or similar. In essence, duplicate the entire interpreter that already exists and is debugged and fast.

like image 8
sarnold Avatar answered Oct 13 '22 05:10

sarnold