+ 5
Hello World! Why everyone say eval() function is dangerous..?
I look at my code or in someone else that uses eval() function, in the comments, they will always say: “Don't use eval() function, it's dangerous! (emoji)” and I asked myself: “Why they say eval() function is very dangerous?” I only know that eval() function can only be used to compute maths like 1+1, and others. I'm so curious that I searched it, the results are: “They are dangerous 'cause eval() function can execute untrusted codes and ‘blah blah blah’” I only say to myself that eval() can only compute math problems, what's and where's scary and dangerous part of it?! ( Can you exactly explain why eval() function's so dangerous, and I will be happy if you give a code example of how and why it's scary! ;) ) All answers are appreciated
11 Réponses
+ 6
Hape 's explanation applies for eval() in JS.
MDN:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
Everything.js :
https://www.sololearn.com/post/250993/?ref=app
https://www.sololearn.com/post/97586/?ref=app
+ 9
Don't accept strings to evaluate from untrusted input‼️‼️‼️
💀
https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html
👽
https://link.medium.com/bSDrJOiphlb
☠️
Just try carefully‼️
a = [0]
print(a) # [0]
eval(input()) # ⬅️ a.append(1)
print(a) # [0, 1]
exec(input()) # ⬅️ a.append(2)
print(a) # [0, 1, 2]
+ 5
While eval can't execute arbitrary code directly like exec can do, it can still call functions in your program which were supposed to be only called by your program in specific places which in turn can lead to your code breaking / behaving in unintended ways. It is also possible to call arbitrary code from eval if there is an exec call in the string given to eval which is obviously dangerous.
All of this is obviously only dangerous when calling eval with arbitrary user input or other strings whose content you don't control yourself.
https://code.sololearn.com/cA595A01a23a/?ref=app
+ 4
With eval you could change the program data the way you want.
Example:
a = [1, 2, 3]
eval(input())
^ Here you could change the data of list a by entering "a.append(10)".
+ you would get access to any global functions in the program, like "exec", which is quite similar to eval, but instead of evaluating a value it can run a whole block of code.
+ 4
I thought you were asking about eval in python.
In JS eval is similar to exec in python in that it can run arbitrary code. Which, as I already mentioned, is very dangerous when done with for example user input or data from any other source you can't trust.
+ 4
It happens when you put user input as string in database and execute the string as code. It does not happen in most situations.
+ 3
Hape You can call exec with eval.
+ 2
Seb TheS Yes that's what I wrote? It is also in the code I posted.
+ 2
People can use it to inject malicious code (cross site scripting and sql injection vulnerabilities)
+ 1
Gordon Ooh nice, thanks! So eval() can be use for malicious codings huh? Seems interesting.