Learn AJAX

Home     |      Learn AJAX     |      Forum     |      Register     |      Submit Resource     |      Submit Article      |      Contact Us

Security Tutorials

 
Home Security
 

The Danger of Using Eval() Function

 
Category: Security
Comments (0)

One of the distinct features of JavaScript is that it comes with different built-in functions and objects developers could use with little to no effort. Through these functions and objects, the variables and data could be implemented without too much coding on the developer’s end.


But the available functions and objects from JavaScript and Ajax is not necessary in every application. There are functions and objects in JavaScript that might do more harm than good in certain conditions. A developer must be wise on which functions should be used or else the application is exposed to attacks or will experience slowdown in performance.


The Eval() Function


A function that should be executed with caution is the Eval() function. You will notice this in many websites because of its usability in certain conditions. Basically, this function will allow the data to be passed through a compiler. This process will allow the string to be assembled before being executed in the client side. The compiler is able to do this because the string becomes a parameter. It’s not necessarily minimized but interpreted in a different manner in order for the client side to execute the function at an optimal level.


Why It Could be Dangerous


At first glance the Eval() function may offer distinct advantages for JavaScript and Ajax applications. However, you’ll realize that you are giving too much power to this function. Eval() will practically transform the string into parameter. Everything, including your data will be reduced into mere parameters.


When an attack happens the Eval() function can be easily monitored. When the strings that contains the data is passed on through Eval() the data contained in that string could be easily extracted.


The Eval() function could also slow down the application. This fact is especially true in small JavaScript applications such as API and widgets. Eval() is an additional stage your code will go through. Instead of executing the application right from the string, it will be processed as a parameter first before it could be read by the application.


If you have a small application, you don’t have to use Eval() because the application has enough resources to read the string, the data attached to it and in execution the said string. Eval() will just slow down the process because it will not allow the function to go through unless they are passed on as parameter.


Alternative to Eval()


Unfortunately, there is no alternative to Eval() function. This pre-built function from JavaScript is already used for years by many developers that it has become a standard for some applications. While its use in verifying the validity of the string is important, it might cause precious resources from the user’s end.


If you’re building a relatively simpler application, avoid Eval() and check your code manually. There are also additional tools that you can use to test the validity of the said string. By observing these practices, you ensure the stability and performance of the application without exposing it to various attacks.



Read Next: SetInterval and SetTimeOut Strings



 

 

Comments



Post Your Comment:

Members Please Login
Your Name:*
e-mail ID:(required for notification)*
Image Verification: 
 
 Subscribe    

Sponsored Links

 
Learn AJAX  |   Forum  |   Register  |   Submit Resource  |   Submit Article  |   Privacy Policy  |   Contact  |   Site Map
Copyright © 2005 - 2010 AjaxWith.com. All Rights Reserved

Page copy protected against web site content infringement by Copyscape