+ 5

Hello World! Why everyone say eval() function is dangerous..?

I look at my code or in someone else that uses eval() function, in the comments, they will always say: “Don't use eval() function, it's dangerous! (emoji)” and I asked myself: “Why they say eval() function is very dangerous?” I only know that eval() function can only be used to compute maths like 1+1, and others. I'm so curious that I searched it, the results are: “They are dangerous 'cause eval() function can execute untrusted codes and ‘blah blah blah’” I only say to myself that eval() can only compute math problems, what's and where's scary and dangerous part of it?! ( Can you exactly explain why eval() function's so dangerous, and I will be happy if you give a code example of how and why it's scary! ;) ) All answers are appreciated

3rd May 2021, 2:08 PM
trash
11 Réponses
+ 9
Don't accept strings to evaluate from untrusted input‼️‼️‼️ 💀 https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html 👽 https://link.medium.com/bSDrJOiphlb ☠️ Just try carefully‼️ a = [0] print(a) # [0] eval(input()) # ⬅️ a.append(1) print(a) # [0, 1] exec(input()) # ⬅️ a.append(2) print(a) # [0, 1, 2]
18th Nov 2021, 8:03 AM
Janusz Bujak 🇵🇱 🇺🇦
Janusz Bujak 🇵🇱 🇺🇦 - avatar
+ 5
While eval can't execute arbitrary code directly like exec can do, it can still call functions in your program which were supposed to be only called by your program in specific places which in turn can lead to your code breaking / behaving in unintended ways. It is also possible to call arbitrary code from eval if there is an exec call in the string given to eval which is obviously dangerous. All of this is obviously only dangerous when calling eval with arbitrary user input or other strings whose content you don't control yourself. https://code.sololearn.com/cA595A01a23a/?ref=app
3rd May 2021, 2:39 PM
Hape
Hape - avatar
+ 4
With eval you could change the program data the way you want. Example: a = [1, 2, 3] eval(input()) ^ Here you could change the data of list a by entering "a.append(10)". + you would get access to any global functions in the program, like "exec", which is quite similar to eval, but instead of evaluating a value it can run a whole block of code.
3rd May 2021, 2:38 PM
Seb TheS
Seb TheS - avatar
+ 4
I thought you were asking about eval in python. In JS eval is similar to exec in python in that it can run arbitrary code. Which, as I already mentioned, is very dangerous when done with for example user input or data from any other source you can't trust.
3rd May 2021, 3:02 PM
Hape
Hape - avatar
+ 4
It happens when you put user input as string in database and execute the string as code. It does not happen in most situations.
4th May 2021, 12:52 PM
Gordon
Gordon - avatar
+ 3
Hape You can call exec with eval.
3rd May 2021, 2:42 PM
Seb TheS
Seb TheS - avatar
+ 2
Seb TheS Yes that's what I wrote? It is also in the code I posted.
3rd May 2021, 2:43 PM
Hape
Hape - avatar
+ 2
People can use it to inject malicious code (cross site scripting and sql injection vulnerabilities)
5th May 2021, 1:02 AM
Alaa Aldeen Shammr
Alaa Aldeen Shammr - avatar
+ 1
Hape Seb TheS Ooh, I understand now, but how about in Javascript?
3rd May 2021, 2:54 PM
trash
+ 1
Gordon Ooh nice, thanks! So eval() can be use for malicious codings huh? Seems interesting.
4th May 2021, 4:09 AM
trash