Tutorial

Reasons Why You Should Never Use eval() in JavaScript

JavaScript

While this tutorial has content that we believe is of great benefit to our community, we have not yet tested or edited it to ensure you have an error-free learning experience. It's on our list, and we're working on it! You can help us out by using the "report an issue" button at the bottom of the tutorial.

The eval() function has been around for a long time in JavaScript! You likely don’t see it often anymore because it’s widely agreed that it’s harmful to use. Let’s take a brief look at it, and some of the dangers associated with using it.

The keyword eval is an abbreviation for “evaluate.” The function essentially takes a string with JavaScript code and will evaluate it for you.

eval('2 + 3 + 1');
// 6

You can evaluate a simple expression… Or a bunch of JavaScript code!

var foo = 2;

eval('var bar = 3;\
var baz = 1;\
\
function addStuff() {\
  return foo + bar + baz;\
}\
\
addStuff();\
');
// 6

Reasons to Avoid Using   eval()

Unless you are doing really high-level JavaScript (see below) the risks usually outweigh the benefits of using eval(). Here’s some of the reasons to avoid using it:

  • Malicious code: invoking eval can crash a computer. For example: if you use eval server-side and a mischievous user decides to use an infinite loop as their username.
  • Terribly slow: the JavaScript language is designed to use the full gamut of JavaScript types (numbers, functions, objects, etc)… Not just strings! Using eval is orders of magnitude slower than normal JavaScript code.

Considering that eval() is still part of the ECMAScript standard… Are there any appropriate uses for it?

Legitimate Uses for   eval()

There’s a small subset of JavaScript development that requires using eval. These include: developing template libraries, interpreters, command lines and module systems. Most of these types of software development are meta-programming and build tools.


If you’re unsure whether to use eval, try doing a quick search on StackOverflow. There’s almost always a better approach.

0 Comments

Creative Commons License