what does eval do and why its evil? [duplicate]

by

eval() takes the string it is given, and runs it as if it were plain JavaScript code.

It is considered “evil” because:

  • It over-complicates things – Most cases where eval() is used, there would be a much simpler solution that didn’t require it. This example in the question is a perfect case in point: there is absolutely no need for eval() for an expression like this. JS has perfectly good syntax for referencing an object property name as a string (myObject["x"] is the same as myObject.x).

  • It’s much harder to debug – It’s harder to work with it in a debugger, and even once you have managed to work out what’s going on, you have you extra work to do because you have to debug both the eval’d code, and the code that generated the original string to eval.

  • It slows things down – The script compiler cannot pre-compile code in an eval(), because it doesn’t know what the code will contain until it gets there. So you lose out on a some of the performance benefits in modern Javascript engines.

  • It is a hacker’s dream – eval() runs a string as code. Hackers love this because it’s much easier to inject a string into a program than to inject code; but eval() means you can inject a string, and get it to run as code. So eval() makes your code easier to hack. (this is less of an issue for browser-based Javascript than other languages, as JS code is accessible in the browser anyway, so your security model should not be based on your code being immutable, but nevertheless, injection hacks can still be a problem, particularly with cross-site attacks).

More Related Contents:

  1. Why is using the JavaScript eval function a bad idea?
  2. When is JavaScript’s eval() not evil?
  3. Executing elements inserted with .innerHTML
  4. Convert a string to a template string
  5. Are eval() and new Function() the same thing?
  6. Calculate string value in javascript, not using eval
  7. (1, eval)(‘this’) vs eval(‘this’) in JavaScript?
  8. Why does JavaScript’s eval need parentheses to eval JSON data?
  9. Is it possible to achieve dynamic scoping in JavaScript without resorting to eval?
  10. Why {} + {} is NaN only on the client side? Why not in Node.js?
  11. Is Javascript eval() so dangerous? [duplicate]
  12. Specify scope for eval() in JavaScript?
  13. Eval is evil… So what should I use instead?
  14. Safely sandbox and execute user submitted JavaScript?
  15. Accessing or creating nested JavaScript objects with string key without eval
  16. Restricting eval() to a narrow scope
  17. Why the open quote and bracket for eval(‘(‘ + jsonString+ ‘)’) when parsing json string
  18. What are the Alternatives to eval in JavaScript?
  19. How to code a calculator in JavaScript without ‘eval’
  20. Context-preserving eval
  21. eval javascript, check for syntax error
  22. Alternatives to JavaScript eval() for parsing JSON
  23. What’s the main benefit of using eval() in JavaScript?
  24. Alternative to eval() javascript [duplicate]
  25. Exploiting JavaScript’s eval() method
  26. JQuery getJSON – ajax parseerror
  27. Why do we need middleware for async flow in Redux?
  28. contenteditable, set caret at the end of the text (cross-browser)
  29. Unnecessary ‘else’ after ‘return’. (No-else-return)
  30. how to know whether modal boxes (alert, prompt, confirm…) have been disabled in javascript?

Leave a Comment