When should I use eval (taking a string and executing it as code at runtime)?

Question

I've often heard the argument (in javascript, but many languages have an eval-like feature) that using eval is "bad." The arguments being that most things you would think to use eval for can be done other ways, the fact that eval is very slow in most cases, and that it can allow users to input code to be executed (if proper precaution wasn't taken). We know that most features aren't just inherently "bad", but lets but the spotlight on eval,

What are some of eval's valid uses? (besides offering a nice feature for developers debugging the application)

Answer 1

A read-eval-print loop would usually be implemented using eval.

Answer 2

The pitfall of eval is the same that comes with SQL injection. If you're constructing the string dynamically in your code and calling eval on that fine. But if your code is blindly concatenating user input into a string to be eval'd then you're asking for it. There are numerous cases where eval can be useful but people tend to avoid it because there are other ways to work around the need for an eval.

Answer 3

Decoding json from a trustworthy source. Evaluating a user-entered expression like in a graphing calculator. Can't think of too much else, though it was abused quite a bit back in the late 90's by people who didn't want to learn the right ways to access page elements.

Answer 4

eval() has good and bad points. The worst aspect of eval in any language that supports it is that it opens the door wide for security holes. If an exploiter can figure out how to get any custom code he writes into an eval statement in your application then he probably has the ability to do all sorts of nefarious things like steal private data or disable services that your application provides. Performance is another concern which you already voiced.

Eval really shines in areas where your code may need to dynamically generate other code to perform a complex task easily. I can't think of an example right now but any case where you needed to do this is probably not going to be trivial. I'd recommend doing this only when absolutely necessary to minimize the risk of the point i made in the previous paragraph though. If possible, never trust user input as safe enough to use eval with.

Answer 5

I once wrote a perl CGI script whose output was perl code, which was retrieved by another script on another machine and eval()'d. It was only secure because I was in control of both ends, but it certainly solved a problem that would otherwise have required me to invent some kind of serialization format in an era before XML was widely known.

Answer 6

It makes metaprogramming a cinch. Great if you want to analyse a program in some way (ie for debugging or profiling purposes).

Answer 7

The only legit use for eval is for executing code that you have no control over (which you shouldn't ever do unless you're making a javascript sandbox).