Sorry... another question about eval()

[sneill]

I have read a number of posts on the use of eval() in Javascript, and I
agree that its use is questionable. But it does beg the following
question:

"How arbitrary does a string need to be before the use of eval() is
required to execute it?"

Given the following code, I'm able to evaluate/execute most expressions
like: "a.b.c.d()"

var aPart = sExpression.split(".");
var oContext = window;
var i = 0;
var iSize = aPath.length - 1;

while (i < iSize && (oContext = oContext[aPart[i++]])) { }

// execute the function
oContext[aPart.replace(/\(\)/, "")]();

But given a more complex expression, is the use of eval() justified?
For example, what about: "a.b(c.d())"

Any thoughts?

Steve

 

[Randy Webb]

(e-mail address removed) said the following on 8/12/2005 4:31 PM:

I have read a number of posts on the use of eval() in Javascript, and I
agree that its use is questionable.

It's beyond questionable. 99% (probably more) of the uses of eval you
see in scripting is due directly to the incompetence of the person who
wrote it.

But it does beg the following question:

"How arbitrary does a string need to be before the use of eval() is
required to execute it?"

Arbitrary doesn't matter. What matters is whether you know the string,
and it's content, at runtime or not. eval's use is to execute code that
is unknown at runtime.

 

[steveneill]

The question posed in the original post seems more academic. The key
phrase is "arbitrary", possibly implying the string has unknown
complexity. Given this scenario, should eval() be used?

 

[Randy Webb]

(e-mail address removed) said the following on 8/12/2005 5:37 PM:

The question posed in the original post seems more academic.

What original post? The one you didn't bother to quote anything about?

<URL: http://jibbering.com/faq/#FAQ2_3 >

"When replying to a message on the group trim quotes of the preceding
messages to the minimum needed and add your comments below the pertinent
section of quoted material, as per FYI28/RFC1855 (never top post). "

The key phrase is "arbitrary", possibly implying the string has unknown
complexity.

How written words are taken is in the mind of the reader, not the
writer. It means that what you read and get out of something is not what
someone else may get from it.

This was the question:
<quote>
"How arbitrary does a string need to be before the use of eval() is
required to execute it?"
</quote>

And the answer remains the same:

<quote cite="answer">
Arbitrary doesn't matter. What matters is whether you know the string,
and it's content, at runtime or not. eval's use is to execute code that
is unknown at runtime.

Given this scenario, should eval() be used?

Only if there is no other way to do it, and that depends directly on
what the code is. It is not a simple question with a simple answer as
you seem to be trying to make it.

But generally, the answer is no. Do NOT use eval until every, any and
all other remedies/attempts are exhausted.

 

[Lasse Reichstein Nielsen]

"How arbitrary does a string need to be before the use of eval() is
required to execute it?"

If the string is known when you write the code (or if you build it
using code that is), then eval is *never* needed, and all it does is
to delay any syntax errors you might make to when eval is called,
instead of when the program is loaded.

So, I'm assuming that you have a string provided only at runtime.

Given the following code, I'm able to evaluate/execute most expressions
like: "a.b.c.d()"

However, that string looks like it is written specially for the
current page, since it knows about the runtime environment it is being
executed in. That, most likely, means that it was the author of the
page (or someone related) who wrote the string. In that case you can
trust the format and using "eval" on it isn't much different from
evaluating it as a <script src="thecode.js" ...> element.

If the string is *not* supplied by the same authority as the page,
then it is less likely to be based on the structure of the data
already available in the runtime environment, and more likely to be
expected in a restricted format.

If that format happens to be a subset of Javascript syntax and
has the same semantics as it does in Javascript, then you might
use eval. However, I would first check that the string does
have the expected format.

E.g., if the user must provide a fraction, e.g., "2/7", then I would
*check* the format, most lilely using a regular expression like
(/^\d+\/[1-9]\d*$/).

I might use eval after that, because I know what is going to happen and
that the eval will not do something unexpected, but it would be about as
simple to just capture the numbers with the regexp and do the evaluation
manually:
var match = /^(\d+)\/([1-9]\d*)$/.exec(string)
var frac = match[1] / match[2];
(This particular example actually showed eval being slightly faster,
but that's not something I'd worry about unless you are doing a *lot*
of conversions).


So, eval is never needed for strings provided when the script is
written, nor for strings generated by the program itself.

For trusted strings provided at runtime, eval can be reasonable.

For untrusted strings provided at runtime, you should first check
the format. The format is probably so simple that you don't need
eval if you can check it.

The danger of eval is that it hides errors by being more acceptig than
what is really needed for a given job, by turning syntax errors into
runtime errors, and increasing complecity by adding an extra level to
the programming (code *and* values that become code, at the same
time). Complexity makes maintenance harder.

The average web page scripter is not trained in computer science, and
extra complexity is an error waiting to happen. He should not use eval
at all.

The competent developer should consider whether eval really is the
simplest, and most maintainable, way of doing what is needed. It might
be, but if you need to ask in this group, we'll assume you are not
able to judge it yourself, and then you shouldn't use it.

/L

 

[Dr John Stockton]

JRS: In article <AMudnZ2dnZ1zkm32nZ2dne-MYN-dnZ2dRVn-
(e-mail address removed)>, dated Fri, 12 Aug 2005 17:15:35, seen in

Arbitrary doesn't matter. What matters is whether you know the string,
and it's content, at runtime or not. eval's use is to execute code that
is unknown at runtime.

That would be clever; but perhaps you mean code that cannot be known at
authoring time, and that does something that cannot be done by other
code knowable at authoring time.

 

[Randy Webb]

Dr John Stockton said the following on 8/13/2005 7:46 AM:

JRS: In article <AMudnZ2dnZ1zkm32nZ2dne-MYN-dnZ2dRVn-
(e-mail address removed)>, dated Fri, 12 Aug 2005 17:15:35, seen in



That would be clever; but perhaps you mean code that cannot be known at
authoring time,

No, I meant what I wrote. Code unknown at runtime.

and that does something that cannot be done by other
code knowable at authoring time.

No, again, I meant what I wrote. Code unknown at runtime.

<input type="text" onchange="eval(this.value)">

Given that in a local (or web page) as an input to calculate formulas
that are known by the user but unknown by the author. Yes, it could be
done with "other code" that is knowable at authoring time. But it is
ingnorant at best to write code, other than eval, to accomplish it.

Given this expression (or one of your own imagination):

9*8/5-6*15+26-59+35.6-98/52

You could write code that would split it, determine precedence, and then
perform calculations. But why? That is eval's use: To execute code
unknown at runtime.

Now, if you are dynamically creating code, then it is still known at
runtime by the author and can be decided whether to eval it or not, but
it is still reasonably known at runtime.

 

[Dr John Stockton]

JRS: In article <[email protected]>, dated Sat, 13 Aug
2005 17:46:21, seen in Randy Webb

Dr John Stockton said the following on 8/13/2005 7:46 AM:

No, I meant what I wrote. Code unknown at runtime.


No, again, I meant what I wrote. Code unknown at runtime.

<input type="text" onchange="eval(this.value)">

Given that in a local (or web page) as an input to calculate formulas
that are known by the user but unknown by the author. Yes, it could be
done with "other code" that is knowable at authoring time. But it is
ingnorant at best to write code, other than eval, to accomplish it.

Given this expression (or one of your own imagination):

9*8/5-6*15+26-59+35.6-98/52

You could write code that would split it, determine precedence, and then
perform calculations. But why? That is eval's use: To execute code
unknown at runtime.

That code is known at runtime. Not known at the start of runtime, not
known by the page author at any time, but known during runtime. One can
give a non-existent variable to eval, or one with a value that is
undefined, null, NaN; but not one whose value is unknown.

 

[Randy Webb]

Dr John Stockton said the following on 8/14/2005 9:30 AM:

JRS: In article <[email protected]>, dated Sat, 13 Aug
2005 17:46:21, seen in Randy Webb



That code is known at runtime.

No, it would not be if it were user entered. Read what I wrote "known by
the user but unknown by the author". The only thing the authors knows is
that it *should* be a mathematical formula.

Not known at the start of runtime, not known by the page author at
any time, but known during runtime.

I see now, you are splitting hairs, ok.

One can give a non-existent variable to eval, or one with a value that is
undefined, null, NaN; but not one whose value is unknown.

Let me explain it a little better in a way that you may understand what
I meant then. Code that is unknown at the time of execution. Now, stop
splitting hairs, or is that the best you can do?

 

[Lasse Reichstein Nielsen]

Let me explain it a little better in a way that you may understand
what I meant then. Code that is unknown at the time of execution.

Still not a good way of saying it. At time of execution, the
Javascript interpreter does know the code. What, I think, you
are trying to say is tat the code is unknown by the author,
i.e., unknown at the time the script is written.

/L

 

[Randy Webb]

Lasse Reichstein Nielsen said the following on 8/14/2005 9:16 PM:

Still not a good way of saying it. At time of execution, the
Javascript interpreter does know the code. What, I think, you
are trying to say is tat the code is unknown by the author,
i.e., unknown at the time the script is written.

Unknown by the author at time of execution.

If it is dynamically created code, then it can be reasonably known by
the author at the time the script is written, but eval wouldn't be the
best way of executing it.

But since I very seldom use eval other than testing it's speed against
other methods, it's a moot point to me. Just don't use it and it's not a
problem

 

[sneill]

Thank you John, Lasse for your constructive comments.

Steve