Sorry... another question about eval()

Discussion in 'Javascript' started by sneill@mxlogic.com, Aug 12, 2005.

  1. Guest

    I have read a number of posts on the use of eval() in Javascript, and I
    agree that its use is questionable. But it does beg the following
    question:

    "How arbitrary does a string need to be before the use of eval() is
    required to execute it?"

    Given the following code, I'm able to evaluate/execute most expressions
    like: "a.b.c.d()"

    var aPart = sExpression.split(".");
    var oContext = window;
    var i = 0;
    var iSize = aPath.length - 1;

    while (i < iSize && (oContext = oContext[aPart[i++]])) { }

    // execute the function
    oContext[aPart.replace(/\(\)/, "")]();

    But given a more complex expression, is the use of eval() justified?
    For example, what about: "a.b(c.d())"

    Any thoughts?

    Steve
     
    , Aug 12, 2005
    #1
    1. Advertising

  2. Randy Webb Guest

    said the following on 8/12/2005 4:31 PM:

    > I have read a number of posts on the use of eval() in Javascript, and I
    > agree that its use is questionable.


    It's beyond questionable. 99% (probably more) of the uses of eval you
    see in scripting is due directly to the incompetence of the person who
    wrote it.

    > But it does beg the following question:
    >
    > "How arbitrary does a string need to be before the use of eval() is
    > required to execute it?"


    Arbitrary doesn't matter. What matters is whether you know the string,
    and it's content, at runtime or not. eval's use is to execute code that
    is unknown at runtime.

    --
    Randy
    comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
     
    Randy Webb, Aug 12, 2005
    #2
    1. Advertising

  3. Guest

    The question posed in the original post seems more academic. The key
    phrase is "arbitrary", possibly implying the string has unknown
    complexity. Given this scenario, should eval() be used?
     
    , Aug 12, 2005
    #3
  4. Randy Webb Guest

    said the following on 8/12/2005 5:37 PM:

    > The question posed in the original post seems more academic.


    What original post? The one you didn't bother to quote anything about?

    <URL: http://jibbering.com/faq/#FAQ2_3 >

    "When replying to a message on the group trim quotes of the preceding
    messages to the minimum needed and add your comments below the pertinent
    section of quoted material, as per FYI28/RFC1855 (never top post). "

    > The key phrase is "arbitrary", possibly implying the string has unknown
    > complexity.


    How written words are taken is in the mind of the reader, not the
    writer. It means that what you read and get out of something is not what
    someone else may get from it.

    This was the question:
    <quote>
    "How arbitrary does a string need to be before the use of eval() is
    required to execute it?"
    </quote>

    And the answer remains the same:

    <quote cite="answer">
    Arbitrary doesn't matter. What matters is whether you know the string,
    and it's content, at runtime or not. eval's use is to execute code that
    is unknown at runtime.
    </quote>

    > Given this scenario, should eval() be used?


    Only if there is no other way to do it, and that depends directly on
    what the code is. It is not a simple question with a simple answer as
    you seem to be trying to make it.

    But generally, the answer is no. Do NOT use eval until every, any and
    all other remedies/attempts are exhausted.

    --
    Randy
    comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
     
    Randy Webb, Aug 13, 2005
    #4
  5. writes:

    > "How arbitrary does a string need to be before the use of eval() is
    > required to execute it?"


    If the string is known when you write the code (or if you build it
    using code that is), then eval is *never* needed, and all it does is
    to delay any syntax errors you might make to when eval is called,
    instead of when the program is loaded.

    So, I'm assuming that you have a string provided only at runtime.

    > Given the following code, I'm able to evaluate/execute most expressions
    > like: "a.b.c.d()"


    However, that string looks like it is written specially for the
    current page, since it knows about the runtime environment it is being
    executed in. That, most likely, means that it was the author of the
    page (or someone related) who wrote the string. In that case you can
    trust the format and using "eval" on it isn't much different from
    evaluating it as a <script src="thecode.js" ...> element.

    If the string is *not* supplied by the same authority as the page,
    then it is less likely to be based on the structure of the data
    already available in the runtime environment, and more likely to be
    expected in a restricted format.

    If that format happens to be a subset of Javascript syntax and
    has the same semantics as it does in Javascript, then you might
    use eval. However, I would first check that the string does
    have the expected format.

    E.g., if the user must provide a fraction, e.g., "2/7", then I would
    *check* the format, most lilely using a regular expression like
    (/^\d+\/[1-9]\d*$/).

    I might use eval after that, because I know what is going to happen and
    that the eval will not do something unexpected, but it would be about as
    simple to just capture the numbers with the regexp and do the evaluation
    manually:
    var match = /^(\d+)\/([1-9]\d*)$/.exec(string)
    var frac = match[1] / match[2];
    (This particular example actually showed eval being slightly faster,
    but that's not something I'd worry about unless you are doing a *lot*
    of conversions).


    So, eval is never needed for strings provided when the script is
    written, nor for strings generated by the program itself.

    For trusted strings provided at runtime, eval can be reasonable.

    For untrusted strings provided at runtime, you should first check
    the format. The format is probably so simple that you don't need
    eval if you can check it.

    The danger of eval is that it hides errors by being more acceptig than
    what is really needed for a given job, by turning syntax errors into
    runtime errors, and increasing complecity by adding an extra level to
    the programming (code *and* values that become code, at the same
    time). Complexity makes maintenance harder.

    The average web page scripter is not trained in computer science, and
    extra complexity is an error waiting to happen. He should not use eval
    at all.

    The competent developer should consider whether eval really is the
    simplest, and most maintainable, way of doing what is needed. It might
    be, but if you need to ask in this group, we'll assume you are not
    able to judge it yourself, and then you shouldn't use it. :)

    /L
    --
    Lasse Reichstein Nielsen -
    DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
    'Faith without judgement merely degrades the spirit divine.'
     
    Lasse Reichstein Nielsen, Aug 13, 2005
    #5
  6. JRS: In article <AMudnZ2dnZ1zkm32nZ2dne-MYN-dnZ2dRVn-
    >, dated Fri, 12 Aug 2005 17:15:35, seen in
    news:comp.lang.javascript, Randy Webb <> posted :
    >
    >Arbitrary doesn't matter. What matters is whether you know the string,
    >and it's content, at runtime or not. eval's use is to execute code that
    >is unknown at runtime.


    That would be clever; but perhaps you mean code that cannot be known at
    authoring time, and that does something that cannot be done by other
    code knowable at authoring time.

    --
    © John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
    <URL:http://www.jibbering.com/faq/> JL/RC: FAQ of news:comp.lang.javascript
    <URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
    <URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.
     
    Dr John Stockton, Aug 13, 2005
    #6
  7. Randy Webb Guest

    Dr John Stockton said the following on 8/13/2005 7:46 AM:
    > JRS: In article <AMudnZ2dnZ1zkm32nZ2dne-MYN-dnZ2dRVn-
    > >, dated Fri, 12 Aug 2005 17:15:35, seen in
    > news:comp.lang.javascript, Randy Webb <> posted :
    >
    >>Arbitrary doesn't matter. What matters is whether you know the string,
    >>and it's content, at runtime or not. eval's use is to execute code that
    >>is unknown at runtime.

    >
    >
    > That would be clever; but perhaps you mean code that cannot be known at
    > authoring time,


    No, I meant what I wrote. Code unknown at runtime.

    > and that does something that cannot be done by other
    > code knowable at authoring time.


    No, again, I meant what I wrote. Code unknown at runtime.

    <input type="text" onchange="eval(this.value)">

    Given that in a local (or web page) as an input to calculate formulas
    that are known by the user but unknown by the author. Yes, it could be
    done with "other code" that is knowable at authoring time. But it is
    ingnorant at best to write code, other than eval, to accomplish it.

    Given this expression (or one of your own imagination):

    9*8/5-6*15+26-59+35.6-98/52

    You could write code that would split it, determine precedence, and then
    perform calculations. But why? That is eval's use: To execute code
    unknown at runtime.

    Now, if you are dynamically creating code, then it is still known at
    runtime by the author and can be decided whether to eval it or not, but
    it is still reasonably known at runtime.

    --
    Randy
    comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
     
    Randy Webb, Aug 13, 2005
    #7
  8. JRS: In article <>, dated Sat, 13 Aug
    2005 17:46:21, seen in news:comp.lang.javascript, Randy Webb
    <> posted :
    >Dr John Stockton said the following on 8/13/2005 7:46 AM:
    >> JRS: In article <AMudnZ2dnZ1zkm32nZ2dne-MYN-dnZ2dRVn-
    >> >, dated Fri, 12 Aug 2005 17:15:35, seen in
    >> news:comp.lang.javascript, Randy Webb <> posted :
    >>
    >>>Arbitrary doesn't matter. What matters is whether you know the string,
    >>>and it's content, at runtime or not. eval's use is to execute code that
    >>>is unknown at runtime.

    >>
    >>
    >> That would be clever; but perhaps you mean code that cannot be known at
    >> authoring time,

    >
    >No, I meant what I wrote. Code unknown at runtime.
    >
    >> and that does something that cannot be done by other
    >> code knowable at authoring time.

    >
    >No, again, I meant what I wrote. Code unknown at runtime.
    >
    ><input type="text" onchange="eval(this.value)">
    >
    >Given that in a local (or web page) as an input to calculate formulas
    >that are known by the user but unknown by the author. Yes, it could be
    >done with "other code" that is knowable at authoring time. But it is
    >ingnorant at best to write code, other than eval, to accomplish it.
    >
    >Given this expression (or one of your own imagination):
    >
    >9*8/5-6*15+26-59+35.6-98/52
    >
    >You could write code that would split it, determine precedence, and then
    >perform calculations. But why? That is eval's use: To execute code
    >unknown at runtime.


    That code is known at runtime. Not known at the start of runtime, not
    known by the page author at any time, but known during runtime. One can
    give a non-existent variable to eval, or one with a value that is
    undefined, null, NaN; but not one whose value is unknown.

    --
    © John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
    <URL:http://www.jibbering.com/faq/> JL/RC: FAQ of news:comp.lang.javascript
    <URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
    <URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.
     
    Dr John Stockton, Aug 14, 2005
    #8
  9. Randy Webb Guest

    Dr John Stockton said the following on 8/14/2005 9:30 AM:
    > JRS: In article <>, dated Sat, 13 Aug
    > 2005 17:46:21, seen in news:comp.lang.javascript, Randy Webb
    > <> posted :
    >
    >>Dr John Stockton said the following on 8/13/2005 7:46 AM:
    >>
    >>>JRS: In article <AMudnZ2dnZ1zkm32nZ2dne-MYN-dnZ2dRVn-
    >>>>, dated Fri, 12 Aug 2005 17:15:35, seen in
    >>>news:comp.lang.javascript, Randy Webb <> posted :
    >>>
    >>>
    >>>>Arbitrary doesn't matter. What matters is whether you know the string,
    >>>>and it's content, at runtime or not. eval's use is to execute code that
    >>>>is unknown at runtime.
    >>>
    >>>
    >>>That would be clever; but perhaps you mean code that cannot be known at
    >>>authoring time,

    >>
    >>No, I meant what I wrote. Code unknown at runtime.
    >>
    >>
    >>> and that does something that cannot be done by other
    >>>code knowable at authoring time.

    >>
    >>No, again, I meant what I wrote. Code unknown at runtime.
    >>
    >><input type="text" onchange="eval(this.value)">
    >>
    >>Given that in a local (or web page) as an input to calculate formulas
    >>that are known by the user but unknown by the author. Yes, it could be
    >>done with "other code" that is knowable at authoring time. But it is
    >>ingnorant at best to write code, other than eval, to accomplish it.
    >>
    >>Given this expression (or one of your own imagination):
    >>
    >>9*8/5-6*15+26-59+35.6-98/52
    >>
    >>You could write code that would split it, determine precedence, and then
    >>perform calculations. But why? That is eval's use: To execute code
    >>unknown at runtime.

    >
    >
    > That code is known at runtime.


    No, it would not be if it were user entered. Read what I wrote "known by
    the user but unknown by the author". The only thing the authors knows is
    that it *should* be a mathematical formula.

    > Not known at the start of runtime, not known by the page author at
    > any time, but known during runtime.


    I see now, you are splitting hairs, ok.

    > One can give a non-existent variable to eval, or one with a value that is
    > undefined, null, NaN; but not one whose value is unknown.


    Let me explain it a little better in a way that you may understand what
    I meant then. Code that is unknown at the time of execution. Now, stop
    splitting hairs, or is that the best you can do?

    --
    Randy
    comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
     
    Randy Webb, Aug 14, 2005
    #9
  10. Randy Webb <> writes:

    > Let me explain it a little better in a way that you may understand
    > what I meant then. Code that is unknown at the time of execution.


    Still not a good way of saying it. At time of execution, the
    Javascript interpreter does know the code. What, I think, you
    are trying to say is tat the code is unknown by the author,
    i.e., unknown at the time the script is written.

    /L
    --
    Lasse Reichstein Nielsen -
    DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
    'Faith without judgement merely degrades the spirit divine.'
     
    Lasse Reichstein Nielsen, Aug 15, 2005
    #10
  11. Randy Webb Guest

    Lasse Reichstein Nielsen said the following on 8/14/2005 9:16 PM:

    > Randy Webb <> writes:
    >
    >
    >>Let me explain it a little better in a way that you may understand
    >>what I meant then. Code that is unknown at the time of execution.

    >
    >
    > Still not a good way of saying it. At time of execution, the
    > Javascript interpreter does know the code. What, I think, you
    > are trying to say is tat the code is unknown by the author,
    > i.e., unknown at the time the script is written.


    Unknown by the author at time of execution.

    If it is dynamically created code, then it can be reasonably known by
    the author at the time the script is written, but eval wouldn't be the
    best way of executing it.

    But since I very seldom use eval other than testing it's speed against
    other methods, it's a moot point to me. Just don't use it and it's not a
    problem :)

    --
    Randy
    comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
     
    Randy Webb, Aug 15, 2005
    #11
  12. Guest

    Thank you John, Lasse for your constructive comments.

    Steve
     
    , Aug 15, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric Newton
    Replies:
    3
    Views:
    9,421
    Brock Allen
    Apr 4, 2005
  2. DataBinder.Eval and Eval.

    , Jun 16, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    550
    Karl Seguin [MVP]
    Jun 16, 2006
  3. Alex van der Spek

    eval('07') works, eval('08') fails, why?

    Alex van der Spek, Jan 8, 2009, in forum: Python
    Replies:
    6
    Views:
    1,461
    Bruno Desthuilliers
    Jan 8, 2009
  4. Liang Wang
    Replies:
    8
    Views:
    134
    Ben Morrow
    Feb 2, 2008
  5. Marc Girod

    to eval or not to eval?

    Marc Girod, Apr 19, 2011, in forum: Perl Misc
    Replies:
    2
    Views:
    161
    Marc Girod
    Apr 19, 2011
Loading...

Share This Page