Lesson 24 of 30 – JavaScript Eval
80%

JavaScript Eval

The eval() function in JavaScript evaluates and executes a string as JavaScript code.

Note: Although eval() is powerful, it is generally discouraged because of security and performance risks.
What is eval()?

The eval() function executes JavaScript code stored inside a string.

Syntax:
eval(string);

The string is interpreted as JavaScript code and executed immediately.

Simple Example
Example:
eval("document.write('Hello World');");
Output:

Hello World

Evaluating Expressions

eval() can calculate mathematical expressions stored as strings.

var result = eval("10 + 20");
document.write(result);
Output:

30

Using Variables
var x = 10;
var y = 20;
var result = eval("x + y");
document.write(result);
Output:

30

Calling Functions Using eval()

eval() can execute function calls stored as strings.

var result;

function Sum(val1,val2){
return val1 + val2;
}

eval("result = Sum(10,10);");
document.write(result);
Output:

20

eval() with JSON

eval() can convert JSON-like strings into objects.

var str='({"firstName":"Brinjay","lastName":"Kumar"})';
var obj = eval(str);

document.write(obj.firstName);
Output:

Brinjay

Why Developers Avoid eval()

Modern JavaScript development rarely uses eval() because it introduces several problems.

  • Security risks
  • Slower performance
  • Difficult debugging
  • Harder code maintenance
  • Reduced code readability
Security Risk

If eval() executes untrusted user input, attackers can inject malicious JavaScript code.

Never use eval() with user-provided data.
Unsafe Example:
var userInput = "alert('Hacked!')";
eval(userInput);
Performance Issues

JavaScript engines cannot optimize code that uses eval() efficiently.

As a result, programs become slower and consume more resources.

Maintainability Problems

Code written with eval() becomes difficult to understand and debug.

Future developers may struggle to identify what code is being executed.

Alternative: JSON.parse()

If your goal is to convert JSON text into an object, use JSON.parse() instead of eval().

Example:
var json='{"name":"Sohan","age":20}';
var obj = JSON.parse(json);

document.write(obj.name);
Output:

Sohan

Alternative: Function Constructor

For dynamic code execution, developers sometimes use Function constructors.

var add = new Function("a","b","return a+b;");
document.write(add(10,20));
Output:

30

When Should You Use eval()?

In most situations, you should avoid using eval().

  • Use only when absolutely necessary.
  • Never execute untrusted input.
  • Consider safer alternatives first.
  • Review security risks carefully.
Points to Remember
  • eval() executes JavaScript code stored in a string.
  • It can evaluate expressions and execute functions.
  • eval() can convert JSON-like strings into objects.
  • Using eval() may create security vulnerabilities.
  • Programs using eval() often run slower.
  • Code becomes difficult to debug and maintain.
  • Use JSON.parse() whenever possible.
  • Avoid eval() unless absolutely necessary.
Quick Revision
Feature Description
eval() Executes JavaScript code from a string
Security Can lead to code injection attacks
Performance Slower than normal JavaScript code
JSON.parse() Safer alternative for JSON data
Function() Alternative for dynamic functions
Best Practices
  • Avoid eval() whenever possible.
  • Use JSON.parse() for JSON strings.
  • Never evaluate user input.
  • Keep code secure and maintainable.
  • Use modern JavaScript alternatives.
  • Write readable and optimized code.

🧠 Quick Quiz

Which function is a safer alternative to eval() for parsing JSON data?