[Boston.pm] Trying to learn about the problems with eval()

Sun, 14 Aug 2005 15:15:38 -0700 

Dear fellow mongers,

I saw a friend using an eval() where it was unnecessary.  Of course,
eval() is a valuable tool, with many valid uses.  But in this specific
instance, it was truly unnecessary, and so I advised him to eliminate
the eval().  (The code he used was "eval $string", where the value of
$string was known at compile-time.)

He wrote back:

> Why? What is wrong with eval other than security problems. It is a
> script which is used internally so I do not think there is any problem
> with that. [...]

That set me thinking.

I could think of three problems with eval(), and replied to him with
the three points below.  Please let me know if I have gotten anything
wrong below.  Also, if you can think of more eval() concerns, please
help me learn.  TIA.

----------------------\/--------BEGIN---------\/----------------------
* delayed error detection and impact on correctness:
    If there is a typo in the system() string that you constructed,
    such as a missing quote mark or extra open parenthesis, the problem
    will not be detected until all the preceding execution is complete.
    If the preceding code did something permanent (i.e, something that
    has life beyond the process itself) we will be left with a messy
    situation.  e.g.: if the preceding code renamed a file to a
    temporary location, with the expectation that it will be restored
    at the end of the script, then the incomplete run (caused by the
    delayed error detection) can cause problems that are hard to fix.
* efficiency:
    It causes the perl interpreter to be launched at run-time.  The
    situation would be worse if the eval() happened inside iterative
    code, which is not the case here.  But even for one-time use, it is
    definitely an overhead that should be avoided if possible.
* security:
    This is definitely not a problem with the specific use in this
    specific script.  I agree with you.  But even for an internal
    script, even if there is no malicious use, eval() opens us up for
    security problems caused by human error.  Once again, this does not
    apply to the current use in the current script.
----------------------/\---------END----------/\----------------------

peace,                                     || What can one hour achieve?
--{kr.pA}                                  || http://www.workanhour.com/
--
Kid, n.: A noise with dirt on it.
 
_______________________________________________
Boston-pm mailing list
[email protected]
http://mail.pm.org/mailman/listinfo/boston-pm

Reply via email to