Open in app

Sign in

Write

Sign in

What is the different between eval() and JSON.parse()?

Mirla Braga
3 min readMar 16, 2021

--

Yeah, guys! I had a question about the eval() function in an interview in the UK and I always have questioned myself about the difference between the eval() function and JSON.parse.

I already used that functions for the same implementation and the solution with both functions works perfectly. My problem to handle the JSON object as a string comes from a body request HTTP. At that moment it is worked. But, what is safer or not? in which situation I use each one?

eval(string)

So, eval(string) is a function of JavaScript that takes the string value and runs like a code, ie it evaluates the expression. In this case, you can evaluate string, boolean, arithmetic, logical, object expression, or statements.

The Image I — Sample used to the eval function

But, this way can I put inject any code? Is not malicious? yes, can be! And some situations such as: inject a JSON object or even a SQL statement, can vulnerable to possible attacks.

It is happing in the sample below that the price of the book object JSON was changed before it shows.

The Image II — Sample used to the eval function with a JSON object

Which situation is a good idea to use the eval?

eval() is used inside another function, how is a global function it is possible to access anytime. For example, JSON.parse is based on Douglas Crockford's solution, which uses eval() on line 497.

JSON.parse()

The JSON implementation is a considering the subset of JavaScript, although it is not! But it is strongly used to together.

The method JSON.parse(string, function?) is responsible for transform the value string (first argument in the method) in Object Java Script, Array, string, number, boolean, or null value.

The Image I II — Sample used to the parse method

The argument string in JSON.parse is checked it put in a favorable position to eval because whether the parse is not working JSON.parse will throw a SyntaxError. So, is it safer? yes, it is! the parse implementation has a contract to follow!

Tips:

1). Prefer to use JSON.parse instead of eval in your implementations!

2). Don’t forget to add Validations to your input always!

3). Validations are necessary because in addition to preventing attacks and the experience’s user makes turn better!

References:

JSON

JavaScript Object Notation (JSON) is a data-interchange format. Although not a strict subset, JSON closely resembles a…

developer.mozilla.org

JSON.parse vs. eval()

Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question. Provide details and share…

stackoverflow.com

eval()

Warning: Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run…

developer.mozilla.org

The Evil JavaScript eval()

So you need to handle some user input eval() is a global function in JavaScript that evaluates a string of code and…

dev.to

Eval
Javascript Tips
JavaScript
Json Parse
Interview

--

--

Mirla Braga
Mirla Braga

Written by Mirla Braga

9 Followers
7 Following

With just good Ms and Ws I used to describe myself!

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams