Site Tools


eval

Table of Contents

Synopsis:

eval <block>

Description:

Eval treats its arguments as a ircii_syntax and executes it. Generally the only place you need to use eval is at the input prompt. Normally the commands you type at the input prompt are treated as command statements that already expanded; If you wish to put $-expandos in your statement and have them substituted, you would not ordinarily have any way to do that. But the eval command provides for this.

This is the reason why using eval in a script is so dangerous. Because command statements are expanded before the command is executed, it is possible for dangerous text to be included in the argument list. You must never pass to eval anything that contains text from an untrusted source (ie, from the server)

But for a more concrete example, eval allows you to indirectly reference variables, but only if you're careful about it:

if (1) {
   @ variable = 'this is some text';
   @ indirect = '$variable';
   echo $indirect;
   eval echo $indirect
};

The output of these two echos are:

$variable
this is some text

Why does this work? Because ircII expands $'s in the command and then splits it into a command and an argument:

eval echo $indirect

expands to:

eval echo $variable

and the eval command expands the arguments, and runs them:

"eval" + "echo $variable"

becomes

"eval" + "echo this is some text"

and this results in the second line of output. You have to be very careful about this, because if you eval a string that comes from an untrusted source, someone could take over your client. Consider this:

on public * {eval echo $*}

Now consider if someone says “hi there!;exec rm -rf ~”

"eval echo $*"

becomes

"eval echo hi there!;exec rm -rf ~"

which becomes

"eval" + "echo hi there!;exec rm -rf ~"

If this occurs, epic will dutifully remove all your files. BE CAREFUL! Do not use eval without a very good reason!

History:

eval.txt · Last modified: 2007/02/12 22:51 by 127.0.0.1