6
var myString = "x",
    myObject = {
        x: 10
    },
value = eval("myObject." + myString);
alert(value)
alert(myObject[myString]);

eval is evil

I have been reading about eval() function over the internet, but could not really grasp on what it actually does apart from "It Evaluates an expression".

Should we use eval() function only for numeric values?.

John Montgomery
  • 6,739
  • 9
  • 52
  • 68
theJava
  • 14,620
  • 45
  • 131
  • 172

2 Answers2

14

eval() takes the string it is given, and runs it as if it were plain JavaScript code.

It is considered "evil" because:

  • It over-complicates things - Most cases where eval() is used, there would be a much simpler solution that didn't require it. This example in the question is a perfect case in point: there is absolutely no need for eval() for an expression like this. JS has perfectly good syntax for referencing an object property name as a string (myObject["x"] is the same as myObject.x).

  • It's much harder to debug - It's harder to work with it in a debugger, and even once you have managed to work out what's going on, you have you extra work to do because you have to debug both the eval'd code, and the code that generated the original string to eval.

  • It slows things down - The script compiler cannot pre-compile code in an eval(), because it doesn't know what the code will contain until it gets there. So you lose out on a some of the performance benefits in modern Javascript engines.

  • It is a hacker's dream - eval() runs a string as code. Hackers love this because it's much easier to inject a string into a program than to inject code; but eval() means you can inject a string, and get it to run as code. So eval() makes your code easier to hack. (this is less of an issue for browser-based Javascript than other languages, as JS code is accessible in the browser anyway, so your security model should not be based on your code being immutable, but nevertheless, injection hacks can still be a problem, particularly with cross-site attacks).

Oliver Olding
  • 41
  • 1
  • 8
Spudley
  • 166,037
  • 39
  • 233
  • 307
6

In this case, just use myObject[myString].

eval is horrifically misused. Pretty much the only valid use for it that I've found is parsing JSON in older browsers.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
  • 1
    It seems incredibly powerful for creating self-modifying json-like files that store functionality in addition to data. For example, you can create a server that "learns" by checking if the functionality you want is ('functionality' in parsedObject), and if not, it can let the client teach that method to that object. This in turn allows "living libraries" to be made that grow from you teaching things to them via messages rather than editing code. I don't think eval is evil, but rather the most powerful javascript construct. – Dmytro Jul 18 '16 at 14:56
  • What's interesting is that php's eval is weaker than javascript's eval because javascript is able to print the code of non native functions, so you can stringify the object back into a string as long as it is non native. Whereas in PHP, you can't do this, so having self-writing php is harder to accomplish, whereas in JavaScript it's amazingly simple to read an object, convert the method you want to string, change it, put it back to string, and write changes to object, and object to file, effectively having self writing code. – Dmytro Jul 18 '16 at 14:59
  • a demo of this kind of evaluation is http://hastebin.com/eyacegaduq.coffee – Dmytro Jul 18 '16 at 15:00