Eval Function Debate

Discussions revolve around the use, risks, security issues, performance, and alternatives to the eval() function in dynamic programming languages like JavaScript, Python, and PHP.

➡️ Stable 0.7x Programming Languages

1,913

Comments

Years Active

Top Authors

#6500

Topic ID

Activity Over Time

2007

2008

2009

2010

2011

2012

107

2013

155

2014

105

2015

2016

108

2017

116

2018

144

2019

105

2020

2021

138

2022

101

2023

117

2024

154

2025

144

2026

Top Contributors

kazinator (22) agumonkey (15) shakna (12) tlrobinson (9) tyingq (8)

Keywords

PHP SQL df.size JMC EVERY E.g IO default.nix eval runtime string evaluate var function functions shoot php payload

Sample Comments

waffletower • Jun 29, 2023 • View on HN

No, 'eval' is available in many dynamic languages and needs to be utilized with care

orf • May 6, 2017 • View on HN

Because it's not about eval(), as the link you're commenting on explains in detail?

mck- • Oct 19, 2012 • View on HN

Makes me wonder if 'eval' still serves a legit purpose

eimrine • Oct 21, 2023 • View on HN

Want to have eval? Stop everything.

asdev • Mar 12, 2025 • View on HN

do you have an eval? how did this actually help?

AshleysBrain • Jan 3, 2012 • View on HN

Page seems to be missing a "why?" section. Seriously, why? What does it do that eval() doesn't?

edw519 • Nov 27, 2007 • View on HN

Interesting he never mentions "eval()". Anyone notice any performance issues here?

chii • May 13, 2019 • View on HN

ahh, so this only applies to the 'eval' function, and not just any functions it seems.

adambyrtek • Aug 30, 2017 • View on HN

Not in a general case, because eval/exec accepts an arbitrary string which could change at runtime.

blasdel • Sep 12, 2009 • View on HN

If you're prepending code to user-input strings and later popping+parsing it to cause side effects, that's eval.