On Wed, Dec 16, 2009 at 09:03, Peter Schneider <p.schnei...@tis-gmbh.de>wrote:
> Hi Andreas, > > >> [...] Wouldn't "Function" be the better choice? > > > > Why would it? There doesn't seem to be a real difference to me (except > > regarding scoping, but this should be irrelevant here). > > I think it's a bit more than just scoping. As far as I remember the eval() > call > starts a complete new compiler, parser etc. pp. > On the other hand it seems to me that "eval() is evil" is common sense > throughout all developers ;) > Hi Peter, "eval() is evil" is a common phrase that helps discourage those who don't understand the possible consequences of using it from ever using it. There is nothing inherently evil about eval(). The input to eval() must be sanitized to ensure that there is no code in that input that could do harm, but once that sanitizing is complete, eval() is no longer evil. If ever user input can be directly fed (i.e. unsanitized) to eval(), the possibility of the evil user doing something evil exists, but that is the primary problem with eval(). It's not that eval() is evil; rather that it opens the possibility that the evil user might do something evil. Similarly, if unsanitized user input is ever allowed to creep into a SQL statement to a database, similar (or worse, since now we're talking server-side!) problems exist. Feeding the input to Function rather than to eval() and then calling the generated function has all of the same security ramifications as simply calling eval(). There is effectively no difference between the two. I guess that must mean that Function is evil too. :-) Cheers, Derrell
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ qooxdoo-devel mailing list qooxdoo-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
