2020
Eval is Evil!

Eval is Evil!

Translated from German using DeepL.

Date: March 2020
Reading time: 3 minutes

A few weeks ago, I was tasked with writing a calculator. The biggest difficulty was calculating the result. I spent a lot of time writing the code that would eventually perform the calculations. However, this was extremely difficult. So I started to do some research. That's when I came into contact with eval().

What is Eval?

eval() is a function call to which you can pass a string as a parameter. Eval now calculates the string and returns the result. The function really convinced me because it also pays attention to things like point before dash calculation.

var calculation = '2+3*5';
console.log(eval(calculation)); // 17

Evil?

I was really relieved when I discovered eval(). But then I came across the following headline: "Never use eval()!"

So I kept searching. But I only came across pages claiming the same thing.

The statement "Eval is Evil" is attributed to Douglas Crockford. This is a successful programmer who was also involved in the development of JS. He is one of the reasons why eval() is seen as something evil.

This is why eval() is seen as a bad thing:

If you use an input field where the invoice is entered, there is a security hole. JS code can also be typed into this input field, which may then cause damage. It also makes debugging more difficult and slows down the application. Although the latter has improved a lot in recent years, eval() is still very inefficient.

I also see as a disadvantage that if a different data type is passed, eval() simply returns the exact same value.

I found the following example for uncertainty:

According to the author, this command would delete all files in the directory in which you are located.

const valueFromInput = `require("child_process").exec('rm -rf ./*')`;
eval(`console.log(`User input: ${valueFromInput}`)`);

Alternative

I have found another, similar function (windows.Function()). However, it has the same problems. It is best to write the function yourself or use a library.

Examples:

  • expression-eval
  • math.js

I will not go into the two variants here, as I have neither tested them nor informed myself thoroughly about them.

If you do not want to replace Eval, you should filter out unauthorized characters before passing the input to the function as a parameter.

Conclusion

eval() is rarely used nowadays due to its poor protection and performance. Basically, you must avoid using the function. However, there are also cases where it makes sense to use it.

Ultimately, however, everyone must assess for themselves whether they want to make use of eval(). The important thing is simply to be aware of the risks.

Nevertheless, I am glad that I discovered eval(). In my case, neither performance nor security was the main focus of the exercise. Besides, I use onkeypress (and no input field) to read the characters. Therefore, I left the function in my application for the time being.