Take a drink every time you see this pattern:$.ajax({
data: “{things:stuff}",
dataType: “json”, //other properties omitted
success: function (result) {
var myObject = eval( “(” + result.d + “)" ); //noooooooooooooooo
}
});
Take a drink when someone seriously brings up the catchphrase “eval is evil” or a variant of it.
Finish all of the drinks if you sincerely think that nobody would ever get malicious code into your database/application that will be happily executed when eval evaluates it and send your client to their phishing duplicate of your login page where they harvest user credentials before redirecting them right back to your application so nobody ever realises what just happened.
Aside:
"Eval is not evil” in the same way that dynamic SQL is not evil. But in this case it’s bad, and wrong. JSON.parse is how to parse JSON.