eval()
Why eval js inbuilt function is not recommended to use ??
65 Replies
eval allows you to execute a string as code, in the same context as the code outside the
eval()
this can be extremely bad, specially if what you pass to eval() comes from an url
for example, a fetchya in the case of fetch we cant use.
and it's not just that
this can lead to executing malicious code without you knowing
and that code can have access to information that's supposed to be private (aka - not accessible to the "public")
OMG!
eval is a huge opportunity for security issues
But then its states in mdn it returns a completion value,never they mentioned its bad idea.So how will a person know which are the inbuilt functions not to be used??
what are you talking about, there's a giant red warning box at the top of the MDN page on eval?
if you REALLY need to use eval, STOP
you're doing something wrong
eval is a danger
can you show an example of where you used eval?
onclicking equal to
you don't need
eval to do thatthere might be diff approaches.
but i went with a very basic one.
we cant use eval for this simple thing as well?
it seems """"safe-ish""""
but i wouldn't risk it
Calculators are also terrible beginner projects
They're very hard to do properly and teach you very bad habits if you do them the easy way (which is to use eval)
it's also extremelly hard to make eval reasonably ok to use without worrying
Got it .
Thanks for the support.
im trying to find an example, i saw a while ago
https://www.youtube.com/watch?v=PZ-H099IaWo <-- here's an example of a real-life exploit because of a bug on cleaning up data to be passed to
eval in another language (perl)Daniel Boctor
YouTube
MAJOR EXPLOIT: GitLab was Hacked with an IMAGE??
Try SquareX for free today! 👉 https://sqrx.io/db_yt
In this video, we take a deep dive into the GitLab / ExifTool metadata parsing vulnerability, which enables attackers to gain access to GitLab servers via an RCE (remote code execution). Whether you're a pen tester, security researcher, or cyber security expert, having a solid foundation in es...
OMG.
"omg" indeed
this is why people should avoid eval (and it's concepts) like the plague
great .ill keep this in mind.
just so you can understand how bad this is, the result is that anyone can execute commands in the server
this means, steal data, access to things they shouldn't access, infect the machine (and maybe others) to do anything, including distributing viruses and malware
all because of
eval (or the equivalent)
that server is compromised and should be burned in a fire
now you see how bad it can get?yes.
in short: eval is evil
There are libraries of evaluating math equations. Though as already mentioned. A calculator as a learning project is a really bad idea. It is a project which looks really simple which causes new people to get to use many bad code patterns.
and almost all of the skills you learn (other than building the layout maybe) are entirely useless in most other programming projects
come again.
the hard parts of building a calculator properly in javascript require skills that are not really used
getting the buttons to work properly without eval requires logic that is only really useful to make buttons on a calculator work properly without using eval. There's much better projects to learn DOM manipulation
If you are making a calculator on a very serious level, almost all of the skills will be related to backend / algorithms more than the frontend.
yea got it.I just tried eval with a simple one.
Is it?
At least if I make a calculator app, the most important things will be parsing the math equations and managing the history. Most of this will include algorithms which are not often used in frontend
I guess both parsing the equation and keeping the previous result can be done in frontend.
Correct me if i am wrong.
it's something you almost never do
simple basic calculator can be done in frontend right?
yes
but the input parsing is something you almost never do
and i mean "almost never"
ya thats what using eval() parsing can be done but its dangerous.
yes
i did made the beginnings of a calculator without eval
but, again, it's something you will only use for a calculator
?
the skills you get from making a calculator usually only apply to making a calculator and don't advance you in any other aspect
but we will atleast learn something .00001%
eh
And managing the history i mean storing previous results can be done in f.E
that's still something you apply only for a calculator
then what is not used in F.E here?
you're mixing "can be done in front end" with "will be used in front end"
just because if can be done doesn't mean you will use it outside the calculator
algo which are not often used in f.e
if something similiar comes out of the box then we can use right .eg:storing previous results
again, just because you can use doesn't mean you will
in a calculator, EVERYTHING you do IS USED IN FRONT END, but almost everything won't be used anywhere else
okay cool
got it
i still like it as a mental exercise
?
like, how to implement receiving data and not using much parsing
ya ya .
Just a yes or no question is for ....in loop just used for objects??
it's not really used anymore
ok thank you
now-a-days,
for ... of ... is usedONLY for objects?
and arrays too
which are objects
EVERYTHING is an object in javascript
5 <-- object
true <-- object
"hi" <-- object
null <-- "object"
if you need to go through an object, use this:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/entries
but this is getting off-topic
way back when, you used to need to use eval to access properties by stringbut we cant use that eval
yes, but it was used way back then
good thing we learned to do not use it
and have the syntax to do not use it
If you are doing a project for learning, it's not just about "it is possible to do it in frontend" it's more of "will i ever do it in frontend in an actual product.". In my entire journey I never had to use any algorithms used in a calculator for any real project. That's why so many professional developers say it's a bad project as a starter.
Just read the whole chat, @ἔρως already covered everything....
yes got it.
So suggest projects that covers algo/steps used in real project as well as for starters
depends a lot on what you want to do
Suggession/idea please
there's some project ideas in #discussions if you want to go looking for them, or you can make a post there asking for projects. You will have to include some more info that "suggestion/idea please" though, maybe a couple you've already made, what level of complexity you want, and what your eventual goal is going to be (become a frontend dev, or just as a hobby, learn backend eventually...)