Using XMLHttpRequest without 'eval'

On Dec 27, 8:58*pm, My Pet Programmer <anth...@mypetprogrammer.com>
wrote:

The way I usually set up and work with the XMLHttpRequest to execute
server side functions and get results is this:

var url = "someurl?params=" + params;
var conn = createRequest(); // gets an XMLHttpRequest object

conn.open("GET", url);
conn.onreadystatechange =
* *function () {
* * *if (conn.readyState == 4 && conn.status == 200) {
* * * *var ret = conn.responseText;
* * * *var data = eval ( "(" + ret + ")" );

* * *}
* *};

(The above is a highly snipped version without any of the usual checks
and balances, it's for illustration only)

It is missing the send too.

>
What I'm curious about is how to get the data back and get it read with
using eval(). All of the examples I have seen show the use of eval as if
it were just perfectly ok and normal, and most of everthing I've read
about eval says never, ever use it.

Don't believe most of what you read. Never use eval unless its use is
appropriate. Evaluating JSON data is an appropriate use. Just don't
do it if the data comes from somebody else's server.

Alternatively, you could use a JSON parser, but it doesn't make much
sense to do so if the data comes from your own server.

David Mark said:

On Dec 27, 8:58 pm, My Pet Programmer <anth...@mypetprogrammer.com>

[snip]

>(The above is a highly snipped version without any of the usual checks
and balances, it's for illustration only)

It is missing the send too.

Shoot. I gave that to someone as an answer to their problem not three
days ago, too. Yeesh.

[snip]

Don't believe most of what you read. Never use eval unless its use is
appropriate. Evaluating JSON data is an appropriate use. Just don't
do it if the data comes from somebody else's server.

That makes a lot of sense, and I only use this method when the data is
from my own servers anyway, I'm just hearing a lot of eval is bad about.
Thanks for the clarification

Alternatively, you could use a JSON parser, but it doesn't make much
sense to do so if the data comes from your own server.

Yeah, I thought about doing that, it just seemed like to much more work
for so little actual gain when the data comes from a file one directory
over.

Thanks, David.

~A!

--
Anthony Levensalor
an*****@mypetprogrammer.com

Only two things are infinite, the universe and human stupidity,
and I'm not sure about the former. - Albert Einstein

My Pet Programmer said the following on 12/27/2007 8:58 PM:

The way I usually set up and work with the XMLHttpRequest to execute
server side functions and get results is this:

var url = "someurl?params=" + params;
var conn = createRequest(); // gets an XMLHttpRequest object

conn.open("GET", url);
conn.onreadystatechange =
function () {
if (conn.readyState == 4 && conn.status == 200) {
var ret = conn.responseText;
var data = eval ( "(" + ret + ")" );

}
};

(The above is a highly snipped version without any of the usual checks
and balances, it's for illustration only)

What type of data is someurl returning?

What I'm curious about is how to get the data back and get it read with
using eval().

Depends on what type of data it is. If it is HTML code, with script
snippets in it, then eval has a fatal flaw in it with regards to it.
Even if it is JSON, it could still have a fatal flaw in it if you leave
that function, go to a different function, then try to do something with
the data that you eval'ed unless you do something with it to change the
way it handles it.

All of the examples I have seen show the use of eval as if
it were just perfectly ok and normal, and most of everthing I've read
about eval says never, ever use it.

Anything that says "never, ever use eval" is just as bad as using eval
when you don't need to. The rule of thumb is "Don't use eval for
anything other than its intended purpose". The purpose of eval is to
evaluate code "not known at runtime".

Do one of you guys have any links/advice/vitriol I could use to get my
head around a better way?

Depends on what type of data is being returned. If it is not JSON,
search the archives for loadHTMLFragment.

<URL:
http://groups.google.com/group/comp.lang.javascript/browse_thread/thread/415949d1bcce6e6a/96dd313cb56fb75f?lnk=gst&q=loadhtmlfragment#96dd31 3cb56fb75f>

Has the latest posted version that I have written of it.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

Randy Webb said:

My Pet Programmer said the following on 12/27/2007 8:58 PM:

[snip]

>
Depends on what type of data it is. If it is HTML code, with script
snippets in it, then eval has a fatal flaw in it with regards to it.
Even if it is JSON, it could still have a fatal flaw in it if you leave
that function, go to a different function, then try to do something with
the data that you eval'ed unless you do something with it to change the
way it handles it.

It is JSON data exclusively, I don't use the object for loading HTML
code, I build it on the fly every time, mostly because I enjoy the
control over it in my script. If something changes on the page from what
I expected when I wrote the php, my script doesn't much care, and not
too much gets screwed. And it's never XML because I just hate the parsing.

[snip]
Anything that says "never, ever use eval" is just as bad as using eval
when you don't need to. The rule of thumb is "Don't use eval for
anything other than its intended purpose". The purpose of eval is to
evaluate code "not known at runtime".

That makes sense too, just like David said. I tend to think absolutes
are limiting and overblown most of the time anyway.

Depends on what type of data is being returned. If it is not JSON,
search the archives for loadHTMLFragment.

<URL:
http://groups.google.com/group/comp.lang.javascript/browse_thread/thread/415949d1bcce6e6a/96dd313cb56fb75f?lnk=gst&q=loadhtmlfragment#96dd31 3cb56fb75f>

Excellent, thanks. I'll check it out. Much obliged to you both for
lending your expertise.

~A!

--
Anthony Levensalor
an*****@mypetprogrammer.com

Only two things are infinite, the universe and human stupidity,
and I'm not sure about the former. - Albert Einstein

My Pet Programmer said the following on 12/28/2007 3:35 AM:

Randy Webb said:

>My Pet Programmer said the following on 12/27/2007 8:58 PM:

[snip]

>>
Depends on what type of data it is. If it is HTML code, with script
snippets in it, then eval has a fatal flaw in it with regards to it.
Even if it is JSON, it could still have a fatal flaw in it if you
leave that function, go to a different function, then try to do
something with the data that you eval'ed unless you do something with
it to change the way it handles it.

It is JSON data exclusively, I don't use the object for loading HTML
code, I build it on the fly every time, mostly because I enjoy the
control over it in my script. If something changes on the page from what
I expected when I wrote the php, my script doesn't much care, and not
too much gets screwed. And it's never XML because I just hate the parsing.

Then eval it. Just beware of potential scope issues and you won't have a
problem with it.

>[snip]
Anything that says "never, ever use eval" is just as bad as using eval
when you don't need to. The rule of thumb is "Don't use eval for
anything other than its intended purpose". The purpose of eval is to
evaluate code "not known at runtime".

That makes sense too, just like David said. I tend to think absolutes
are limiting and overblown most of the time anyway.

>Depends on what type of data is being returned. If it is not JSON,
search the archives for loadHTMLFragment.

<URL:
http://groups.google.com/group/comp.lang.javascript/browse_thread/thread/415949d1bcce6e6a/96dd313cb56fb75f?lnk=gst&q=loadhtmlfragment#96dd31 3cb56fb75f>

Excellent, thanks. I'll check it out. Much obliged to you both for
lending your expertise.

That is more for loading HTML that has script elements in it than
dealing with JSON.

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

Randy Webb said:

My Pet Programmer said the following on 12/28/2007 3:35 AM:

>Randy Webb said:

[snippy-snip]

That is more for loading HTML that has script elements in it than
dealing with JSON.

I noticed that, and bookmarked it just in case it might come in handy
while I'm rewriting this horrible, awful, incredibly so bad that even I
know it sucks code from a certain offshore company.
--
Anthony Levensalor
an*****@mypetprogrammer.com

Only two things are infinite, the universe and human stupidity,
and I'm not sure about the former. - Albert Einstein

Response to David Mark <dm***********@gmail.com>:

Don't believe most of what you read. Never use eval unless its
use is appropriate. Evaluating JSON data is an appropriate use.
Just don't do it if the data comes from somebody else's server.

In what situation does pure JSON need to be eval'd?

--
-Lost
Remove the extra words to reply by e-mail. Don't e-mail me. I am
kidding. No I am not.

-Lost said:

Response to My Pet Programmer <an*****@mypetprogrammer.com>:

Basically named arrays become parent Objects and "anonymous" arrays
become Array literals in JavaScript.

I've never had to eval any JSON output from PHP, but I've never not
named sub-arrays. *shrugs*

Actually, that makes sense. I was not aware that if I named the arrays
it would "just work". And I'll be damned, you're right. I just tested
it. Thanks a million for that!

~A!

--
Anthony Levensalor
an*****@mypetprogrammer.com

Only two things are infinite, the universe and human stupidity,
and I'm not sure about the former. - Albert Einstein

Richard Cornford said:
[snip]

(So the next script insertion issue is with what the client-side script
does with the 'description' field, but that has nothing to do with
whether it is 'safe' to - eval - a JSON response.)

Wow, thank you, Richard. I appreciate you taking the time to write that
out for us. That's awesome stuff. I'll definitely put some things in
place on the server to make sure my local stuff stays safe.

~A!
--
Anthony Levensalor
an*****@mypetprogrammer.com

Only two things are infinite, the universe and human stupidity,
and I'm not sure about the former. - Albert Einstein

-Lost wrote:

Response to David Mark <dm***********@gmail.com>:

>Don't believe most of what you read. Never use eval unless its
use is appropriate. Evaluating JSON data is an appropriate use.
Just don't do it if the data comes from somebody else's server.

In what situation does pure JSON need to be eval'd?

Pardon? JSON is the JavaScript Object Notation, a data interchange format.
Name an instance where it would *not* be used to create a JS object from
the transferred data. Using the built-in eval() method to do just that
appears only natural to me, observing the usual caveats.

http://en.wikipedia.org/wiki/JSON
PointedEars
--
var bugRiddenCrashPronePieceOfJunk = (
navigator.userAgent.indexOf('MSIE 5') != -1
&& navigator.userAgent.indexOf('Mac') != -1
) // Plone, register_function.js:16

In comp.lang.javascript message <gM*********************@giganews.com>,
Fri, 28 Dec 2007 03:17:12, Randy Webb <Hi************@aol.composted:

>
Anything that says "never, ever use eval" is just as bad as using eval
when you don't need to.

Yes.

The rule of thumb is "Don't use eval for anything other than its
intended purpose".

Well, valid uses may appear that were not originally foreseen. One
should never use it when the languages (e.g. JS + HTML) provide a safer,
and maybe a simpler, alternative.

The purpose of eval is to evaluate code "not known at runtime".

That is unmitigated nonsense, probably misquoted from something more
carefully written. How can unknown code be evaluated? Even the output
of a random-code generator will be known, though in this case not by a
person, before it can be used.

The (apparent) purpose of eval is to evaluate code which cannot be known
at the time of authoring the code in which the eval occurs.

See FAQ 4.40 :-
4.40 When should I use eval?
The eval() function should only be used when it is necessary to evaluate
a string supplied or composed at run-time; the string can be anything
from a simple (but unpredictable) expression such as 12*2.54 to a
substantial piece of javascript code.

But I'd now suggest changing "composed" to the less anthropocentric
"constructed"; and possibly mentioning eval of trusted JSON as sound.

--
(c) John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v6.05 MIME.
<URL:http://www.merlyn.demon.co.uk/TP/BP/Delphi/&c., FAQqy topics & links;
<URL:http://www.merlyn.demon.co.uk/clpb-faq.txt RAH Prins : c.l.p.b mFAQ;
<URL:ftp://garbo.uwasa.fi/pc/link/tsfaqp.zipTimo Salmi's Turbo Pascal FAQ.

Dr J R Stockton said the following on 12/30/2007 11:05 AM:

In comp.lang.javascript message <gM*********************@giganews.com>,
Fri, 28 Dec 2007 03:17:12, Randy Webb <Hi************@aol.composted:

>Anything that says "never, ever use eval" is just as bad as using eval
when you don't need to.

Yes.

>The rule of thumb is "Don't use eval for anything other than its
intended purpose".

Well, valid uses may appear that were not originally foreseen. One
should never use it when the languages (e.g. JS + HTML) provide a safer,
and maybe a simpler, alternative.

And that alternative exists for JSON.

>The purpose of eval is to evaluate code "not known at runtime".

That is unmitigated nonsense, probably misquoted from something more
carefully written. How can unknown code be evaluated? Even the output
of a random-code generator will be known, though in this case not by a
person, before it can be used.

I would try to satisfy your pedantic desires but I won't waste the time.

The (apparent) purpose of eval is to evaluate code which cannot be known
at the time of authoring the code in which the eval occurs.

While you could make an argument for that, it is not always true. Most
JSON is known at the time the code is authored. People tend to use eval
simply because of ease and the lack of knowing how to do it any other way.

See FAQ 4.40 :-
4.40 When should I use eval?
The eval() function should only be used when it is necessary to evaluate
a string supplied or composed at run-time; the string can be anything
from a simple (but unpredictable) expression such as 12*2.54 to a
substantial piece of javascript code.

But I'd now suggest changing "composed" to the less anthropocentric
"constructed"; and possibly mentioning eval of trusted JSON as sound.

<URL: http://jibbering.com/faq/index.html#FAQ5_2>

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ - http://jibbering.com/faq/index.html
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

In comp.lang.javascript message <9O*********************@giganews.com>,
Sun, 30 Dec 2007 20:05:09, Randy Webb <Hi************@aol.composted:

>

>The (apparent) purpose of eval is to evaluate code which cannot be known
at the time of authoring the code in which the eval occurs.

While you could make an argument for that, it is not always true. Most
JSON is known at the time the code is authored. People tend to use eval
simply because of ease and the lack of knowing how to do it any other
way.

Since you do not see the distinction between the "purpose of eval" and
the intent of any particular use (by the ignorant), there's no point in
discussing it with you.

--
(c) John Stockton, Surrey, UK. ??*@merlyn.demon.co.uk Turnpike v6.05 MIME.
Web <URL:http://www.merlyn.demon.co.uk/- FAQish topics, acronyms, & links.

Food expiry ambiguities: <URL:http://www.merlyn.demon.co.uk/date2k-3.htm#Food>