+ 5

Hello World! Why everyone say eval() function is dangerous..?

I look at my code or in someone else that uses eval() function, in the comments, they will always say: “Don't use eval() function, it's dangerous! (emoji)” and I asked myself: “Why they say eval() function is very dangerous?” I only know that eval() function can only be used to compute maths like 1+1, and others. I'm so curious that I searched it, the results are: “They are dangerous 'cause eval() function can execute untrusted codes and ‘blah blah blah’” I only say to myself that eval() can only compute math problems, what's and where's scary and dangerous part of it?! ( Can you exactly explain why eval() function's so dangerous, and I will be happy if you give a code example of how and why it's scary! ;) ) All answers are appreciated

eval()dangerous!?how_and_why

3rd May 2021, 2:08 PM

trash

11 Answers

+ 6

Hape 's explanation applies for eval() in JS. MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval Everything.js : https://www.sololearn.com/post/250993/?ref=app https://www.sololearn.com/post/97586/?ref=app

3rd May 2021, 3:29 PM

Gordon

+ 9

Don't accept strings to evaluate from untrusted input‼️‼️‼️ 💀 https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html 👽 https://link.medium.com/bSDrJOiphlb ☠️ Just try carefully‼️ a = [0] print(a) # [0] eval(input()) # ⬅️ a.append(1) print(a) # [0, 1] exec(input()) # ⬅️ a.append(2) print(a) # [0, 1, 2]

18th Nov 2021, 8:03 AM

Janusz Bujak 🇵🇱 🇺🇦

+ 5

While eval can't execute arbitrary code directly like exec can do, it can still call functions in your program which were supposed to be only called by your program in specific places which in turn can lead to your code breaking / behaving in unintended ways. It is also possible to call arbitrary code from eval if there is an exec call in the string given to eval which is obviously dangerous. All of this is obviously only dangerous when calling eval with arbitrary user input or other strings whose content you don't control yourself. https://code.sololearn.com/cA595A01a23a/?ref=app

3rd May 2021, 2:39 PM

Hape

+ 4

With eval you could change the program data the way you want. Example: a = [1, 2, 3] eval(input()) ^ Here you could change the data of list a by entering "a.append(10)". + you would get access to any global functions in the program, like "exec", which is quite similar to eval, but instead of evaluating a value it can run a whole block of code.

3rd May 2021, 2:38 PM

Seb TheS

+ 4

I thought you were asking about eval in python. In JS eval is similar to exec in python in that it can run arbitrary code. Which, as I already mentioned, is very dangerous when done with for example user input or data from any other source you can't trust.

3rd May 2021, 3:02 PM

Hape

+ 4

It happens when you put user input as string in database and execute the string as code. It does not happen in most situations.

4th May 2021, 12:52 PM

Gordon

+ 3

Hape You can call exec with eval.

3rd May 2021, 2:42 PM

Seb TheS

+ 2

Seb TheS Yes that's what I wrote? It is also in the code I posted.