*** Welcome to piglix ***

Eval


In some programming languages, eval is a function which evaluates a string as though it were an expression and returns a result; in others, it executes multiple lines of code as though they had been included instead of the line including the eval. The input to eval is not necessarily a string; it may be structured representation of code, such as an abstract syntax tree (like Lisp forms), or of special type such as code (as in Python). The analog for a statement is exec, which executes a string (or code in other format) as if it were a statement; in some languages, such as Python, both are present, while in other languages only one of either eval or exec is.

Eval and apply are instances of meta-circular evaluators, interpreters of a language that can be invoked within the language itself.

Special care must be taken when using eval with data from an untrusted source. For instance, assuming that the get_data() function gets data from the Internet, this Python code is insecure:

An attacker could supply the program with the string "session.update(authenticated=True)" as data, which would update the session dictionary to set an authenticated key to be True. To remedy this, all data which will be used with eval must be escaped, or it must be run without access to potentially harmful functions.

A call to eval is sometimes used by inexperienced programmers for all sorts of things. In most cases, there are alternatives which are more flexible and do not require the speed penalty of parsing code.

For instance, eval is sometimes used for a simple mail merge facility, as in this PHP example:

Although this works, it can cause some security problems (see § Security risks), and will be much slower than other possible solutions. A faster and more secure solution would be changing the last line to echo $template; and removing the single quotes from the previous line, or using printf.


...
Wikipedia

...