Why is 'eval' evil?

Re: Why is 'eval' evil?

Reply Via Newsgroup wrote on 04 apr 2004 in comp.lang.javas cript:
[color=blue]
> This might sound sad... someone requesting a disertation on the 'eval'
> statement... but... I've been reading someone else's post - they had a
> huge calander like script and a handful of folk cursed the script and
> special attention was thrown at the fact the script used eval alot.
>
> I don't use eval alot in my scripts - but I do use it - and since I
> always out to learn more / improve my javascript skills, I'm curious why
> something I thought 'normal' would be considered abnormal.
>
> Can someone put some meat on the bones of 'eval' - its advantages (if
> any) and its disadvantages (which seem great).
>[/color]

<http://groups.google.c om/groups?q=eval+e vil>

3540 hits

Let's not start again til you have read them all.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: Why is 'eval' evil?

Reply Via Newsgroup <reply-to-newsgroup@pleas e.com> writes:
[color=blue]
> I don't use eval alot in my scripts - but I do use it - and since I
> always out to learn more / improve my javascript skills, I'm curious
> why something I thought 'normal' would be considered abnormal.
>
> Can someone put some meat on the bones of 'eval' - its advantages (if
> any) and its disadvantages (which seem great).[/color]

As you might guess, it's not the first time someone has questionend
the "eval is evil" slogan :) It even made the FAQ.
<URL:http://jibbering.com/faq/#FAQ4_40>

The short argument for not using eval is:
"It's shooting pidgeons with cannons."
Sure, it get's the job done, but it's harder to control and takes a
lot more resources than needed, and when it fails, it fails
spectacularly (read: blows up in your face).

There is (almost) no situation where there isn't another method that
also does the job, and both more efficiently and a lot safer.

With "more efficient" I mean that it uses fewer resources. The "eval"
function works by first turning its argument into a string, then it
parses the string as a Javascript program and finally it evaluates
it. This is a very expensive operation, and the generality of it is
only needed in rare cases that most people writing web pages will
never meet.

With "safer" I mean that it it is less likely to fail spectacularly.
Since eval can execute arbitrary Javascript expressions, passing the
wrong argument can cause arbitrary errors. On a server, using eval on
a user supplied string is a *very* bad idea. On a client, the main
problem is that the error message is harder to connect to the actual
error, and that, e.g., syntax errors in eval'ed code will only be
detected at run time, not when the script is loaded. So: eval
both introduces more possible errors and hides existing errors.

The two most common (mis)uses of eval are:
1) converting strings to numbers.
There are plenty of dedicated functions and operators for just this
problem: parseInt, parseFloat, Number, the prefix plus operator, most
mathematical operators (string*1,strin g/1,string-0). Of these, the
prefix plus is the fastest by a small margin. It is roughly *50* times
faster than using eval (in my browser).

2) accessing properties using a computed name.
Example:
eval("document. images.img"+n+" .src")
Again it is inefficient, here compared to using square-bracket
notation for property access:
document.images['img'+n].src
It is also error prone. There is no syntax check, and if the variable
"n" contains something you didn't expect, then the failure can be
hard to find. If the property is called something that is not an
identifier (typically "foo[]", used by PHP for form controls, or
perhaps "foo1.1"), then the eval method fails completely.

This is what I take as a sign that the author doesn't know the
language very well. Often the reason for using eval like this is
that they don't know about this way to do property access, which
is a fundamental part of the language. Using eval like this is a
crutch that allows them to stagger along, getting something to
run, whereas knowing the language would let them run :)

Then there is the third misuse (which the mentioned calendar program
also sufferend from): throwing in an eval "just for good measure",
even though someone who knows the language can see that it doesn't do
anything. :)

So, eval isn't evil, that's just a good slogan :)

Eval is *very* slow and dangerously error prone!

For *that* reason, it should be avoided in 99.999% of all cases. As
for the remaining two, when you meet them, you'll hopefully know the
language well enough to be able to recognize them.

/L
--
Lasse Reichstein Nielsen - lrn@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'

Re: Why is 'eval' evil?

Lasse Reichstein Nielsen wrote:[color=blue]
> Reply Via Newsgroup <reply-to-newsgroup@pleas e.com> writes:
>
>[color=green]
>>I don't use eval alot in my scripts - but I do use it - and since I
>>always out to learn more / improve my javascript skills, I'm curious
>>why something I thought 'normal' would be considered abnormal.
>>
>>Can someone put some meat on the bones of 'eval' - its advantages (if
>>any) and its disadvantages (which seem great).[/color]
>
>
> As you might guess, it's not the first time someone has questionend
> the "eval is evil" slogan :) It even made the FAQ.
> <URL:http://jibbering.com/faq/#FAQ4_40>
>
> The short argument for not using eval is:
> "It's shooting pidgeons with cannons."
> Sure, it get's the job done, but it's harder to control and takes a
> lot more resources than needed, and when it fails, it fails
> spectacularly (read: blows up in your face).
>
> There is (almost) no situation where there isn't another method that
> also does the job, and both more efficiently and a lot safer.
>
> With "more efficient" I mean that it uses fewer resources. The "eval"
> function works by first turning its argument into a string, then it
> parses the string as a Javascript program and finally it evaluates
> it. This is a very expensive operation, and the generality of it is
> only needed in rare cases that most people writing web pages will
> never meet.
>
> With "safer" I mean that it it is less likely to fail spectacularly.
> Since eval can execute arbitrary Javascript expressions, passing the
> wrong argument can cause arbitrary errors. On a server, using eval on
> a user supplied string is a *very* bad idea. On a client, the main
> problem is that the error message is harder to connect to the actual
> error, and that, e.g., syntax errors in eval'ed code will only be
> detected at run time, not when the script is loaded. So: eval
> both introduces more possible errors and hides existing errors.
>
> The two most common (mis)uses of eval are:
> 1) converting strings to numbers.
> There are plenty of dedicated functions and operators for just this
> problem: parseInt, parseFloat, Number, the prefix plus operator, most
> mathematical operators (string*1,strin g/1,string-0). Of these, the
> prefix plus is the fastest by a small margin. It is roughly *50* times
> faster than using eval (in my browser).
>
> 2) accessing properties using a computed name.
> Example:
> eval("document. images.img"+n+" .src")
> Again it is inefficient, here compared to using square-bracket
> notation for property access:
> document.images['img'+n].src
> It is also error prone. There is no syntax check, and if the variable
> "n" contains something you didn't expect, then the failure can be
> hard to find. If the property is called something that is not an
> identifier (typically "foo[]", used by PHP for form controls, or
> perhaps "foo1.1"), then the eval method fails completely.
>
> This is what I take as a sign that the author doesn't know the
> language very well. Often the reason for using eval like this is
> that they don't know about this way to do property access, which
> is a fundamental part of the language. Using eval like this is a
> crutch that allows them to stagger along, getting something to
> run, whereas knowing the language would let them run :)
>
> Then there is the third misuse (which the mentioned calendar program
> also sufferend from): throwing in an eval "just for good measure",
> even though someone who knows the language can see that it doesn't do
> anything. :)
>
> So, eval isn't evil, that's just a good slogan :)
>
> Eval is *very* slow and dangerously error prone!
>
> For *that* reason, it should be avoided in 99.999% of all cases. As
> for the remaining two, when you meet them, you'll hopefully know the
> language well enough to be able to recognize them.
>
> /L[/color]

I have actually been using the eval for the first of the two examples
you mentioned (converting strings to numbers) and thus will go back and
revisit my code.

Many thanks for taking the time to write - and as Evertjan pointed out
in another post, I should have taken the time to google it or look at
the FAQ but while I have viewed the FAQ before, in this instance, the
thought had not even occured... sorry...

Thanks though... I'm proud of my javascript skills that I've picked up
this year and hope to avoid bad habits which are difficult to change
once they become habit.

Cheers
Randell D.

Re: Why is 'eval' evil?

Evertjan. wrote:
[color=blue]
> Reply Via Newsgroup wrote on 04 apr 2004 in comp.lang.javas cript:
>
>[color=green]
>>This might sound sad... someone requesting a disertation on the 'eval'
>>statement.. . but... I've been reading someone else's post - they had a
>>huge calander like script and a handful of folk cursed the script and
>>special attention was thrown at the fact the script used eval alot.
>>
>>I don't use eval alot in my scripts - but I do use it - and since I
>>always out to learn more / improve my javascript skills, I'm curious why
>>something I thought 'normal' would be considered abnormal.
>>
>>Can someone put some meat on the bones of 'eval' - its advantages (if
>>any) and its disadvantages (which seem great).
>>[/color]
>
>
> <http://groups.google.c om/groups?q=eval+e vil>
>
> 3540 hits
>
> Let's not start again til you have read them all.
>[/color]

errummmaaa.... sorry... I should have tried that but I usually only rely
on the past seven days of threads for my knowledge... I'll try to lean a
bit more on google groups though in the future...

cheers
randelld

Re: Why is 'eval' evil?

>>This might sound sad... someone requesting a disertation on the 'eval'[color=blue][color=green]
>>statement.. . but... I've been reading someone else's post - they had a
>>huge calander like script and a handful of folk cursed the script and
>>special attention was thrown at the fact the script used eval alot.
>>
>>I don't use eval alot in my scripts - but I do use it - and since I
>>always out to learn more / improve my javascript skills, I'm curious why
>>something I thought 'normal' would be considered abnormal.
>>
>>Can someone put some meat on the bones of 'eval' - its advantages (if
>>any) and its disadvantages (which seem great).
>>[/color]
>
>
> <http://groups.google.c om/groups?q=eval+e vil>
>
> 3540 hits
>
> Let's not start again til you have read them all.[/color]

If you added JavaScript to the mix, it drops down to 348 hits. Eval is
still plenty evil, though.

Re: Why is 'eval' evil?

Douglas Crockford wrote:
[color=blue][color=green][color=darkred]
>>> This might sound sad... someone requesting a disertation on the
>>> 'eval' statement... but... I've been reading someone else's post -
>>> they had a huge calander like script and a handful of folk cursed the
>>> script and special attention was thrown at the fact the script used
>>> eval alot.
>>>
>>> I don't use eval alot in my scripts - but I do use it - and since I
>>> always out to learn more / improve my javascript skills, I'm curious
>>> why something I thought 'normal' would be considered abnormal.
>>>
>>> Can someone put some meat on the bones of 'eval' - its advantages (if
>>> any) and its disadvantages (which seem great).
>>>[/color]
>>
>>
>> <http://groups.google.c om/groups?q=eval+e vil>
>>
>> 3540 hits
>>
>> Let's not start again til you have read them all.[/color]
>
>
> If you added JavaScript to the mix, it drops down to 348 hits. Eval is
> still plenty evil, though.[/color]


and errrrummmmaaaa. .. if you add elvis to that, it drops to 5 hits ;-)

Re: Why is 'eval' evil?

Lasse Reichstein Nielsen wrote:
<snip>[color=blue]
> ... . The "eval"
> function works by first turning its argument into a string, then it
> parses the string as a Javascript program and finally it evaluates
> it. ...[/color]
<snip>

Line 1 of the ECMA algorithm for - eval - says " if x is not a string
value return x" (x being the argument). Though that just makes passing -
eval - a non-string argument even more wrong than passing it a string,
because it is pointless (programming by mystical incantation).

Richard.