什么时候JavaScript的eval（）不是邪恶？ [英] When is JavaScript's eval() not evil?

问题描述

我正在编写一些JavaScript来解析用户输入的函数（对于类似电子表格的功能）。解析公式后，可以将其转换为JavaScript并在其上运行 eval（）以产生结果。但是，我总是避开使用 eval（）如果我可以避免它，因为它是邪恶的（和正确或错误，我一直认为它是更多

I'm writing some JavaScript to parse user-entered functions (for spreadsheet-like functionality). Having parsed the formula I could convert it into JavaScript and run eval() on it to yield the result. However, I've always shied away from using eval() if I can avoid it because it's evil (and, rightly or wrongly, I've always thought it is even more evil in JavaScript because the code to be evaluated might be changed by the user).

那么，什么时候可以使用呢？

So, when it is OK to use it?

推荐答案

我想花一点时间来解决你的问题的前提 - eval（）是 evil 。 编程语言人使用的 evil 通常意味着危险，或者更准确地说，能够对简单的命令造成很大的伤害。所以，什么时候可以使用危险的东西？当你知道危险是什么，以及当你采取适当的预防措施。

I'd like to take a moment to address the premise of your question - that eval() is "evil". The word "evil", as used by programming language people, usually means "dangerous", or more precisely "able to cause lots of harm with a simple-looking command". So, when is it OK to use something dangerous? When you know what the danger is, and when you're taking the appropriate precautions.

到这一点，让我们来看看使用eval（）的危险。可能有许多小的隐藏危险就像一切，但两个大风险 - eval（）被认为是邪恶的原因是性能和代码注入。

To the point, let's look at the dangers in the use of eval(). There are probably many small hidden dangers just like everything else, but the two big risks - the reason why eval() is considered evil - are performance and code injection.

• Performance - eval（）运行解释器/编译器。如果你的代码被编译，那么这是一个巨大的打击，因为你需要在运行时调用一个可能重的编译器。但是，JavaScript仍然主要是一种解释型语言，这意味着在一般情况下调用eval（）并不是一个很大的性能损失。（


• 代码注入 - eval（）可能在提升的权限下运行一个代码字符串。例如，以管理员/ root运行的程序永远不会想要eval（）用户输入，因为该输入可能是rm -rf / etc / important-file或更糟。再次，浏览器中的JavaScript没有这个问题，因为程序运行在用户自己的帐户。服务器端的JavaScript可能有这个问题。

对您的具体情况。从我的理解，你自己生成字符串，所以假设你小心不要生成一个字符串，如rm -rf something-important生成，没有代码注入风险（但请记住，它非常非常难，以确保在一般情况下这样）。此外，如果你在浏览器中运行，代码注入是一个相当小的风险，我相信。

On to your specific case. From what I understand, you're generating the strings yourself, so assuming you're careful not to allow a string like "rm -rf something-important" to be generated, there's no code injection risk (but please remember, it's very very hard to ensure this in the general case). Also, if you're running in the browser then code injection is a pretty minor risk, I believe.

至于性能，你必须加重，的编码。我的意见是，如果你解析公式，你可能会在解析期间计算结果，而不是运行另一个解析器（eval（）中的一个）。但是使用eval（）来编码可能更容易，性能命中可能是不明显的。看起来像eval（）在这种情况下没有比任何其他函数，可能可以节省一些时间。

As for performance, you'll have to weight that against ease of coding. It is my opinion that if you're parsing the formula, you might as well compute the result during the parse rather than run another parser (the one inside eval()). But it may be easier to code using eval(), and the performance hit will probably be unnoticeable. It looks like eval() in this case is no more evil than any other function that could possibly save you some time.

这篇关于什么时候JavaScript的eval（）不是邪恶？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！