2

Here is a quick example of something I was wondering about, before we start I am aware that eval should only be used when absolutely needed.

Let's say I have an endpoint that runs some code like this:

endpoint.php

<?php
    $input = sanitised($_POST['someData']);
    $array = someDatabaseQueryMethod($input);
    echo 'runtime.getItem("'.A_SAFE_DEFINED_CONSTANT.'").stateChange({"newValues":'.json_encode($array).'});';
?>

then I have an index.php that looks like this:

... ommitted...
<body>

$.ajax({
    url : "./endpoint.php",
    type: "POST",
    data : {someData: 1},
    success: function(data, textStatus, jqXHR)
    {
        eval(data);
    },
    error: function (jqXHR, textStatus, errorThrown)
    {
        //error logic here
    }
});

...

Is there a situation that can occur where some content in $array (which, lets say, could contain anything at all, multi dimensional, loads of different strings / other data types, but will always be a valid array that won't cause json_encode to fail) could mean that the eval statement could be vulnerable to some kind of injection?

Effectively I always want .stateChange to recieve an object that it can take a look at and decide what to do in this example

I know this might seem like quite a convoluted example, it is taken out of context - this is the smallest verifiable example i could come up with.

EDIT: while the above is closes to what I am doing, i guess the smallest example would actually be this:

endpoint.php

<?php
    $input = sanitised($_POST['someData']);
    $array = someDatabaseQueryMethod($input);
    echo 'var a = '.json_encode($array).';';
?>

OK guys i get it - no need for more comments that do not answer the question which is not about different methods of doing the same thing but thanks for your feedback

It would be great to get an example of where this would break, not hearsay about how bad eval is.

Improve this question
8
  • Wow this is hard to read, If you could write the question in one sentence what is your question? Commented Feb 23, 2016 at 14:50
  • 3
    Why eval the data? Just tell jQuery you're expecting a JSON response and it'll parse it as JSON. Commented Feb 23, 2016 at 14:50
  • 2
    indeed. why have your code return a function call in the first place? that'd be more JSONP. why not just return the json-encoded array and let JSON.parse() handle that automatically? there'd be no "execution" concerns, because json.parse doesn't use eval, and you wouldn't be sending executable code in the first place. Commented Feb 23, 2016 at 14:52
  • added a TLDR for you @DustinPoissant, andy - as stated in the question, this is part of a much larger example and i know it does not make sense on its own without pasting thousands of lines of code. Commented Feb 23, 2016 at 14:53
  • In my opinion, in such a context, the eval is just unneeded. I would personally use eval only if I literally have no other alternative, like in a situation where I have to execute some javascript code which is stored on the server and generated according to some user settings but not being influenced by any mean from any user's data. There was a nice topic about eval in stackoverflow about when to use it with ajax requests, but I can't find that answer anymore. Commented Feb 23, 2016 at 15:00

1 Answer 1

Reset to default
1

Is there a situation that can occur where some content in $array (which, lets say, could contain anything at all, multi dimensional, loads of different strings / other data types, but will always be a valid array that won't cause json_encode to fail) could mean that the eval statement could be vulnerable to some kind of injection?

Yes, absolutely! If I were a hacker, I could very likely find a way to hijack a user's entire session if there's ever even the slightest mistake made in escaping user strings. There is absolutely no reason you should need to take that kind of risk. Use JSON.parse(str) instead. Since you're currently returning JavaScript code, change it to simply return your value as an object with two values that you automatically do two things with. (eg: {stateChangeTarget: 'CONSTANT_IDENTIFIER', stateChangeData: {"newValues": [...]} }) This will give you the array that you want. Then perform the expected functions in the result like this:

dataType: "json"
success: function(data)
{
     runtime.getItem(data.stateChangeTarget).stateChange(data.stateChangeData);
},

This is also extensible to other client applications. If you decide to write a mobile app, that app won't be able to run JavaScript, and so it'll be lost when the server returns a pure JavaScript command with no neutral way to access the data (JSON)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, i understand the options already. I just find it strange that everyone dooms eval, yet returning echo json_encode($arr) instead in index seems (based on javascriptweblog.wordpress.com/2010/04/19/how-evil-is-eval) would result in the same code executing (i.e. eval of my json_encode output) in older versions of jquery, thanks anyway.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.