drop eval function

[gpedro]

Description:

drop eval functions for better support on running in web hosting

• https://github.com/otsoft/myaac/search?q=eval&type=

[slawkens]

Any replacement suggested? ;)

[SRNT-GG]

Using proper functions and stuff would be good, I'll quote Rasmus (found of php, make of it what you will);
If eval() is the answer, you're almost certainly asking the
wrong question. -- Rasmus Lerdorf, BDFL of PHP

It also opens up for many possibilties for remote code execution for no good reason. I can't think of a single time I have had to use eval() in literally millions of lines of code. In short, it's unsafe and lazy at best.

[slawkens]

In that case, this is legit i think.

We have no user input there, just config.lua parsing.

But, well. I am open to suggestions how that could be replaced :)

[SRNT-GG]

In that case, this is legit i think.

We have no user input there, just config.lua parsing.

But, well. I am open to suggestions how that could be replaced :)

Currently looking iinto this, but seems eval() is only used to validate a expression exists and contains two values. This could be done with a if/switch statement instead. Could you elaborate on wheter or not I am missunderstanding this?

Will have a look into "fixing" this later when I have more time to test it's functionallity and then create a PR.

And you are correct about how it's used and currently it should not present any issues, thing is while this code looks safe we cannot safely assume there are no, or will be, any vulneratbilities that can abuse this somehow. Eval is a dangeorous function to use in a live production env. I can absoluty see it used for prototypign or similar, but for a live website it's.. Sketchy!