472,986 Members | 2,771 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,986 software developers and data experts.

Why is 'eval' evil?


This might sound sad... someone requesting a disertation on the 'eval'
statement... but... I've been reading someone else's post - they had a
huge calander like script and a handful of folk cursed the script and
special attention was thrown at the fact the script used eval alot.

I don't use eval alot in my scripts - but I do use it - and since I
always out to learn more / improve my javascript skills, I'm curious why
something I thought 'normal' would be considered abnormal.

Can someone put some meat on the bones of 'eval' - its advantages (if
any) and its disadvantages (which seem great).

Thanks
Randell D.
Jul 23 '05 #1
7 4033
Reply Via Newsgroup wrote on 04 apr 2004 in comp.lang.javascript:
This might sound sad... someone requesting a disertation on the 'eval'
statement... but... I've been reading someone else's post - they had a
huge calander like script and a handful of folk cursed the script and
special attention was thrown at the fact the script used eval alot.

I don't use eval alot in my scripts - but I do use it - and since I
always out to learn more / improve my javascript skills, I'm curious why
something I thought 'normal' would be considered abnormal.

Can someone put some meat on the bones of 'eval' - its advantages (if
any) and its disadvantages (which seem great).


<http://groups.google.com/groups?q=eval+evil>

3540 hits

Let's not start again til you have read them all.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Jul 23 '05 #2
Reply Via Newsgroup <re****************@please.com> writes:
I don't use eval alot in my scripts - but I do use it - and since I
always out to learn more / improve my javascript skills, I'm curious
why something I thought 'normal' would be considered abnormal.

Can someone put some meat on the bones of 'eval' - its advantages (if
any) and its disadvantages (which seem great).


As you might guess, it's not the first time someone has questionend
the "eval is evil" slogan :) It even made the FAQ.
<URL:http://jibbering.com/faq/#FAQ4_40>

The short argument for not using eval is:
"It's shooting pidgeons with cannons."
Sure, it get's the job done, but it's harder to control and takes a
lot more resources than needed, and when it fails, it fails
spectacularly (read: blows up in your face).

There is (almost) no situation where there isn't another method that
also does the job, and both more efficiently and a lot safer.

With "more efficient" I mean that it uses fewer resources. The "eval"
function works by first turning its argument into a string, then it
parses the string as a Javascript program and finally it evaluates
it. This is a very expensive operation, and the generality of it is
only needed in rare cases that most people writing web pages will
never meet.

With "safer" I mean that it it is less likely to fail spectacularly.
Since eval can execute arbitrary Javascript expressions, passing the
wrong argument can cause arbitrary errors. On a server, using eval on
a user supplied string is a *very* bad idea. On a client, the main
problem is that the error message is harder to connect to the actual
error, and that, e.g., syntax errors in eval'ed code will only be
detected at run time, not when the script is loaded. So: eval
both introduces more possible errors and hides existing errors.

The two most common (mis)uses of eval are:
1) converting strings to numbers.
There are plenty of dedicated functions and operators for just this
problem: parseInt, parseFloat, Number, the prefix plus operator, most
mathematical operators (string*1,string/1,string-0). Of these, the
prefix plus is the fastest by a small margin. It is roughly *50* times
faster than using eval (in my browser).

2) accessing properties using a computed name.
Example:
eval("document.images.img"+n+".src")
Again it is inefficient, here compared to using square-bracket
notation for property access:
document.images['img'+n].src
It is also error prone. There is no syntax check, and if the variable
"n" contains something you didn't expect, then the failure can be
hard to find. If the property is called something that is not an
identifier (typically "foo[]", used by PHP for form controls, or
perhaps "foo1.1"), then the eval method fails completely.

This is what I take as a sign that the author doesn't know the
language very well. Often the reason for using eval like this is
that they don't know about this way to do property access, which
is a fundamental part of the language. Using eval like this is a
crutch that allows them to stagger along, getting something to
run, whereas knowing the language would let them run :)

Then there is the third misuse (which the mentioned calendar program
also sufferend from): throwing in an eval "just for good measure",
even though someone who knows the language can see that it doesn't do
anything. :)

So, eval isn't evil, that's just a good slogan :)

Eval is *very* slow and dangerously error prone!

For *that* reason, it should be avoided in 99.999% of all cases. As
for the remaining two, when you meet them, you'll hopefully know the
language well enough to be able to recognize them.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 23 '05 #3
Lasse Reichstein Nielsen wrote:
Reply Via Newsgroup <re****************@please.com> writes:

I don't use eval alot in my scripts - but I do use it - and since I
always out to learn more / improve my javascript skills, I'm curious
why something I thought 'normal' would be considered abnormal.

Can someone put some meat on the bones of 'eval' - its advantages (if
any) and its disadvantages (which seem great).

As you might guess, it's not the first time someone has questionend
the "eval is evil" slogan :) It even made the FAQ.
<URL:http://jibbering.com/faq/#FAQ4_40>

The short argument for not using eval is:
"It's shooting pidgeons with cannons."
Sure, it get's the job done, but it's harder to control and takes a
lot more resources than needed, and when it fails, it fails
spectacularly (read: blows up in your face).

There is (almost) no situation where there isn't another method that
also does the job, and both more efficiently and a lot safer.

With "more efficient" I mean that it uses fewer resources. The "eval"
function works by first turning its argument into a string, then it
parses the string as a Javascript program and finally it evaluates
it. This is a very expensive operation, and the generality of it is
only needed in rare cases that most people writing web pages will
never meet.

With "safer" I mean that it it is less likely to fail spectacularly.
Since eval can execute arbitrary Javascript expressions, passing the
wrong argument can cause arbitrary errors. On a server, using eval on
a user supplied string is a *very* bad idea. On a client, the main
problem is that the error message is harder to connect to the actual
error, and that, e.g., syntax errors in eval'ed code will only be
detected at run time, not when the script is loaded. So: eval
both introduces more possible errors and hides existing errors.

The two most common (mis)uses of eval are:
1) converting strings to numbers.
There are plenty of dedicated functions and operators for just this
problem: parseInt, parseFloat, Number, the prefix plus operator, most
mathematical operators (string*1,string/1,string-0). Of these, the
prefix plus is the fastest by a small margin. It is roughly *50* times
faster than using eval (in my browser).

2) accessing properties using a computed name.
Example:
eval("document.images.img"+n+".src")
Again it is inefficient, here compared to using square-bracket
notation for property access:
document.images['img'+n].src
It is also error prone. There is no syntax check, and if the variable
"n" contains something you didn't expect, then the failure can be
hard to find. If the property is called something that is not an
identifier (typically "foo[]", used by PHP for form controls, or
perhaps "foo1.1"), then the eval method fails completely.

This is what I take as a sign that the author doesn't know the
language very well. Often the reason for using eval like this is
that they don't know about this way to do property access, which
is a fundamental part of the language. Using eval like this is a
crutch that allows them to stagger along, getting something to
run, whereas knowing the language would let them run :)

Then there is the third misuse (which the mentioned calendar program
also sufferend from): throwing in an eval "just for good measure",
even though someone who knows the language can see that it doesn't do
anything. :)

So, eval isn't evil, that's just a good slogan :)

Eval is *very* slow and dangerously error prone!

For *that* reason, it should be avoided in 99.999% of all cases. As
for the remaining two, when you meet them, you'll hopefully know the
language well enough to be able to recognize them.

/L


I have actually been using the eval for the first of the two examples
you mentioned (converting strings to numbers) and thus will go back and
revisit my code.

Many thanks for taking the time to write - and as Evertjan pointed out
in another post, I should have taken the time to google it or look at
the FAQ but while I have viewed the FAQ before, in this instance, the
thought had not even occured... sorry...

Thanks though... I'm proud of my javascript skills that I've picked up
this year and hope to avoid bad habits which are difficult to change
once they become habit.

Cheers
Randell D.
Jul 23 '05 #4
Evertjan. wrote:
Reply Via Newsgroup wrote on 04 apr 2004 in comp.lang.javascript:

This might sound sad... someone requesting a disertation on the 'eval'
statement... but... I've been reading someone else's post - they had a
huge calander like script and a handful of folk cursed the script and
special attention was thrown at the fact the script used eval alot.

I don't use eval alot in my scripts - but I do use it - and since I
always out to learn more / improve my javascript skills, I'm curious why
something I thought 'normal' would be considered abnormal.

Can someone put some meat on the bones of 'eval' - its advantages (if
any) and its disadvantages (which seem great).

<http://groups.google.com/groups?q=eval+evil>

3540 hits

Let's not start again til you have read them all.


errummmaaa.... sorry... I should have tried that but I usually only rely
on the past seven days of threads for my knowledge... I'll try to lean a
bit more on google groups though in the future...

cheers
randelld
Jul 23 '05 #5
>>This might sound sad... someone requesting a disertation on the 'eval'
statement... but... I've been reading someone else's post - they had a
huge calander like script and a handful of folk cursed the script and
special attention was thrown at the fact the script used eval alot.

I don't use eval alot in my scripts - but I do use it - and since I
always out to learn more / improve my javascript skills, I'm curious why
something I thought 'normal' would be considered abnormal.

Can someone put some meat on the bones of 'eval' - its advantages (if
any) and its disadvantages (which seem great).

<http://groups.google.com/groups?q=eval+evil>

3540 hits

Let's not start again til you have read them all.


If you added JavaScript to the mix, it drops down to 348 hits. Eval is
still plenty evil, though.
Jul 23 '05 #6
Douglas Crockford wrote:
This might sound sad... someone requesting a disertation on the
'eval' statement... but... I've been reading someone else's post -
they had a huge calander like script and a handful of folk cursed the
script and special attention was thrown at the fact the script used
eval alot.

I don't use eval alot in my scripts - but I do use it - and since I
always out to learn more / improve my javascript skills, I'm curious
why something I thought 'normal' would be considered abnormal.

Can someone put some meat on the bones of 'eval' - its advantages (if
any) and its disadvantages (which seem great).

<http://groups.google.com/groups?q=eval+evil>

3540 hits

Let's not start again til you have read them all.

If you added JavaScript to the mix, it drops down to 348 hits. Eval is
still plenty evil, though.

and errrrummmmaaaa... if you add elvis to that, it drops to 5 hits ;-)

http://groups.google.com/groups?q=ev...vascript+elvis
Jul 23 '05 #7
Lasse Reichstein Nielsen wrote:
<snip>
... . The "eval"
function works by first turning its argument into a string, then it
parses the string as a Javascript program and finally it evaluates
it. ...

<snip>

Line 1 of the ECMA algorithm for - eval - says " if x is not a string
value return x" (x being the argument). Though that just makes passing -
eval - a non-string argument even more wrong than passing it a string,
because it is pointless (programming by mystical incantation).

Richard.
Jul 23 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

33
by: Stuart | last post by:
why won't the following work for(var i=0;i<pics;i++){ eval('img'+i) = new Image(wth,hgt) eval('img'+i+'.src') = 'http://www.mypics/'+i+'1.gif' } basically I am trying to create a numer of...
9
by: Mike | last post by:
After reading much on the evils of eval, I have a question using my own personal use of the function... We have a reports system that will generate reports based on a number of parameters...
9
by: Jim Washington | last post by:
I'm still working on yet another parser for JSON (http://json.org). It's called minjson, and it's tolerant on input, strict on output, and pretty fast. The only problem is, it uses eval(). It's...
24
by: Larry | last post by:
Hi there: I have seen numerous postings about eval() and its evils on this forum. However, one of our developers is using it in the following way, which seems like a great use of it. Page...
4
by: sunnyboy | last post by:
Hi I'm currently trying to put some HTML code into a variable and to use it later. Any ideas, why TEST1 in the following example displays a link, while TEST2 only displays a text? Any help...
15
by: manstey | last post by:
Hi, I have a text file called a.txt: # comments I read it using this:
16
by: Fett | last post by:
I am creating a program that requires some data that must be kept up to date. What I plan is to put this data up on a web-site then have the program periodically pull the data off the web-site. ...
0
by: Jean-Paul Calderone | last post by:
On Thu, 28 Aug 2008 14:51:57 -0700 (PDT), Fett <fettmanchu@gmail.comwrote: eval and exec are the same. Don't use either with strings from a web page. Try using a simple format for you data, such...
0
by: Lie Ryan | last post by:
On Tue, 30 Sep 2008 16:04:34 -0500, William Purcell wrote: when you pass mydict, it is used as the global variables in the eval, right? Then, you passed a code to eval('...', mydict), sometimes...
0
by: lllomh | last post by:
Define the method first this.state = { buttonBackgroundColor: 'green', isBlinking: false, // A new status is added to identify whether the button is blinking or not } autoStart=()=>{
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 4 Oct 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM) The start time is equivalent to 19:00 (7PM) in Central...
0
by: Aliciasmith | last post by:
In an age dominated by smartphones, having a mobile app for your business is no longer an option; it's a necessity. Whether you're a startup or an established enterprise, finding the right mobile app...
4
NeoPa
by: NeoPa | last post by:
Hello everyone. I find myself stuck trying to find the VBA way to get Access to create a PDF of the currently-selected (and open) object (Form or Report). I know it can be done by selecting :...
3
NeoPa
by: NeoPa | last post by:
Introduction For this article I'll be using a very simple database which has Form (clsForm) & Report (clsReport) classes that simply handle making the calling Form invisible until the Form, or all...
1
by: Teri B | last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course. 0ne-to-many. One course many roles. Then I created a report based on the Course form and...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 1 Nov 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM) Please note that the UK and Europe revert to winter time on...
3
by: nia12 | last post by:
Hi there, I am very new to Access so apologies if any of this is obvious/not clear. I am creating a data collection tool for health care employees to complete. It consists of a number of...
0
NeoPa
by: NeoPa | last post by:
Introduction For this article I'll be focusing on the Report (clsReport) class. This simply handles making the calling Form invisible until all of the Reports opened by it have been closed, when it...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.