5

Is there a limit to javascript's eval, like in lenght?

I'm trying to build an app where you can store JS code in the DB, which you can later load and eval in order to execute it, but i'm reaching a limit. First of all, the code has to all be in one line. Any multiline statements are not executed. Next, i'm reaching a limit in length (i guess). If i execute the code manually, it works, but put that same code in the db, load it via ajax, and try to execute it, and it fails.

Any ideas why?

R0b0tn1k
  • 4,256
  • 14
  • 46
  • 64
  • 2
    *Please* don't do this, storing it in a DB is fine, but why must `eval` be used? – Nick Craver Apr 22 '10 at 18:06
  • 1
    This sounds like the db is either truncating your code or else there are character-encoding issues. Have you tried diffing a manual value that works with an "identical" db value that doesn't? – Robusto Apr 22 '10 at 18:07
  • 1
    @Nick: I'm controlling the input of the code, so it's perfectly safe. Otherwise, i'm considering having the db js code being spit out by a separate file, and then just include the file as a js script. Would be much more efficient then eval i guess? – R0b0tn1k Apr 22 '10 at 18:16
  • @Robusto: not sure what you mean by "diffing a manual value" ? – R0b0tn1k Apr 22 '10 at 18:17
  • 3
    @user117701 - There are both security *and* performance concerns with `eval()`. Including it as another script like `src="myScript.php?ID=50"` is a *much* better solution, with jQuery you could call `$.getScript()` on any url like this to execute it, or just a script tag that includes it, either or. – Nick Craver Apr 22 '10 at 18:20
  • @user: You said "If I execute the code manually ..." That is what I mean by a "manual" value. – Robusto Apr 22 '10 at 18:59
  • 1
    I have a similar issue: I get user-entered formulas into which I insert application-values on the client at run time. These formulas are then eval'd. These formulas are HUGE, so I'm wondering if there are limits for length too. This is a valid question. – Pieter Breed Jun 14 '10 at 12:31
  • So how did you handle it? Loading the values with a script tag takes time, and is adding a lag which i want to avoid. – R0b0tn1k Jun 27 '10 at 16:54

3 Answers3

2

You don't need to use eval and its not exactly a good thing to use. You could just have it print out to the page and it will run.

Here is the accepted answer on why you should not use eval:

  1. Improper use of eval opens up your code for injection attacks
  2. Debugging can be more challenging (no line numbers, etc.)
  3. eval'd code executes more slowly (no opportunity to compile/cache eval'd code)
Community
  • 1
  • 1
Jonathan Czitkovics
  • 1,642
  • 11
  • 11
2

I have run into this also. As others have said here - eval comes in handy when you are generating the Javascript on the fly and then want to have it execute on the browser. My usages of this technique are to go small things like a simple function that will just make a call back to the server when a button is pressed. Depending upon the circumstances there might be two functions or just one. I've also used it to display information that changes from a database. The information is always just plain text. So no injection attack can be done.

Anyway, I too have run in to this limitation of the Javascript EVAL statement and it seems to me that there is a 1024 character limit. When I go over this I start getting weird things like eval just spitting out the original text. This is really evident because I hex everything before sending it to the browser so I can have things like single and double quotes in the text without it causing eval any problems. (And hexing everything helps prevent injection attacks.)

I also side with the person who said to use getscript in jQuery. It works just as well as the eval without the size limitations. The only extra step you have to take is to create the Javascript file first.

I hope this helps and answers the original poster's question. That being I believe the size limitation is 1024 bytes.

Mark Manning
  • 1,427
  • 12
  • 14
1

You could create a javascript function that creates a script-tag dynamically (createElement('script') and append it to the head- or bodytag) and point the source to your app. The src can contain parameters, used like a get request, like for example: src="jsapp.aspx?script=myscript&includefunction=loadfn" No eval needed. You can even define an onload handler for your new script tag. Plenty of documentation on the net for that.

You wouldn't even have to use XHR (AKA Ajax) for that.

KooiInc
  • 119,216
  • 31
  • 141
  • 177