Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "eval()"
-
Waisting some times on codewars.com
~~~~
3 kyu challenge:
Given a string with mathematical operations like this: ‘3+5*7*(10-45)’, compute the result
~~~~~
*Does a quick and easy one liner in python using eval()*
*sees people actually writing some 100 lines parsing the string and calculating using priority of operation*
Poor them...
(Btw, passed to lvl 4 kyu thx to this)14 -
Developers who use JavaScript "eval(...)" deserve a normal place in hell.
Developers who use JavaScript eval() within eval() deserve the most special place in hell. 🔥17 -
Java:
Primitive streams. Their need to exist is a monument to legacy failure.
VB.net
OrElse and AndAlso short-circuiting operators. The language designers were too fucking lazy to process logic, so they give specific keywords for those cases.
PHP
Random Hebrew error messages
JS
Eval. It can be used responsibly, but most of the times you see it it's because someone fucked up.
C#
Lack of Tuple destructuring in argument specification. Tuples were added, and pattern matching was added, and it's been getting better. The gear grinding starts with how Tuple identity assignment in arguments is handled. Rather than destructuring into the current scope, it coalesces the identity specification into a dot property of whatever the argument name is. This seems like an afterthought given they have ootb support for ignore characters.
Typescript
This will probably be remedied in the next version or two, but Tuple identity forwarding between anonymous scopes normalizes to arrays of union types, because tuples compile to typeless arrays. It's irritating because you end up having to restate the type metadata in functional series even when there is no possibility for any other code branch to have occurred.12 -
Can somebody explain why an "industrial" level "learning management system" uses javascript's eval function for their little makeshift calculator?
The existence of Blackboard pains me greatly.10 -
Got a new eval board. It came in with a stock firmware, had its own IP and naturally its own webGUI. I wanted to check what was under the hood. So I SSH'd in to the device, and was prompted to enter the username. There weren't any specs or documentation.
*Hmm, let's try root*
User: root
Password: *Eh? Well, what the heck* admin
.
.
.
root@evalboard#
Muhahaha!!! Meet your hacker, eval board!3 -
Lisp code was live-debugged and fixed with REPL on a spacecraft 100 million miles away
“An even more impressive instance of remote debugging occurred on NASA's 1998 Deep Space 1 mission. A half year after the space craft launched, a bit of Lisp code was going to control the spacecraft for two days while conducting a sequence of experiments. Unfortunately, a subtle race condition in the code had escaped detection during ground testing and was already in space. When the bug manifested in the wild--100 million miles away from Earth--the team was able to diagnose and fix the running code, allowing the experiments to complete. One of the programmers described it as follows:
Debugging a program running on a $100M piece of hardware that is 100 million miles away is an interesting experience. Having a read-eval-print loop running on the spacecraft proved invaluable in finding and fixing the problem.”
https://gigamonkeys.com/book/...4 -
A php site delivering javascript in json
Which is executed by eval
{ jsaction :"document.getElementById('id').innerHtml = 'hello world' ; document.getElementById('id').style. Color='red' " }5 -
TL;DR you suck, I suck and everybody sucks, deal with it....
------------------------------------
Let me let off some steam, since I've had enough of people hating on languages "just because"
Every language has it's drawbacks and quirks, BUT they have their strengths also. Saying "I hate {language}" is just you being and ignorant prick and probably your head is so far up your ass that you look like an ass hat. With that being said, every language is either good or bad depending on the developer writing in it. Let's give you an example:
If I ware to give you a brick and ask you to put a nail in a plank, can you do it? Yes, it will be easier if you do it with a hammer, but you have a brick, so hammer is out of the question. If you hit your thumb while doing it... well... sorry, but it is not the bricks fault - it is YOU!
JavaScript, yes it has a whole lot of problems, but it works, you can do a ton of stuff and does a good job at that, it is evolving through node and typescript (and others, just a personal pref), BUT if you used js when you ware debugging that jquery (1.0) plugin written in the free time of a 13 yo, who copy pasted a bunch from SO, well, it is not js' problem - deal with it. Same goes for PHP, i've been there where you had a single `index.php` with bazillion lines of code, did a bunch of eval and it was called MVC, but it also is evolving.. thing is all languages allow you to do some dumb stuff so YOU have to be responsible to not fuck it up (which you always DO btw, we all do). Difference is PHP/JS roll with it because the assumption is that you know what you are doing, which again - newsflash - you don't.
More or less I would blame that shit on businesses which decided to go with undergrads to save money instead of investing in their product, hell, I am in a major company that does not invest that doesn't care a whole lot about dev /tech stuff and now everybody's mother is an engineer - they care about money, because investors care about money (ROI) and because clean code does not pay the bills, but money does.
If we get all of the good practices and apply them to each language every one of them has it's place, that is why there is no "The Language", even if there was, we STILL ware going to fuck it up and probably it was going to be even worse than where we are now.
Study, improve, rinse and repeat... There are SENIORS and LEADS out there that are about 25-30 and have no fucking clue about the language, because they have stuck up their heads up the ass of frameworks and refuse to take a breath of clean air and consider something different than their dogmatic framework "way" of doing things.. That is the result you are seeing. Let me give you a fresh example to illustrate where I am at atm:
Le me works with ZendFramework 2.3-2.5 (why not, which is PHP5+ running on PHP7 [fancy, eh]), and little me writes a module for said project, and tries to contain it in its own space, i.e not touching anything outside of the folder of the module so it is SELF-CONTAINED (see, practices), during 2-3-4 iterations of code review, I've had to modify 4 different modules with `if (somthing === self::SOMETHING_TYPE)` as requested by my TL, which resulted in me not covering 3 use-cases after the changes and not adding a new event (the fw is event-driven, cuz.. reasons) so I have to use a bunch of ifs in the code, to check a config value and do shit. That is the way of I am asked to do things I hate what I've done and the fact that because of CR I have lost case-coverage, a week of work and the same TL will be on my ass on monday that things are now "perfect".
The biggest things is "we care about convention and code style"... right.... That is not because of the language, not because of me, not because of the framework - it is some dude's opinion that you hate, not the language.
New stuff are better, reinventing the wheel is also good, if it wasn't you would've had a few stone circular things on your car and things ware going to be like that - we need to try and try, that is the only way we actually learn shit.
Until things change in the trade, we will be on the same boat, complaining about the same shit over and over, you and me won't be alive probably but things will not change a bit.
We live in a place where state is considered good, god objects necessary (can you believe it, I've got kudos for using the term 'God Object'... yep, let that sink in). If you really hate something, please, oh god I beg you, show me how you will do it better and I will shake your hand and buy you a beer, but until then, please keep your ass-hurt fanboy opinion to your self, no one gives a shit about what you think, we will die and the world will not notice...6 -
"Don't waste time on security, just make it work" heard this from a "security head manager" at a 1 million eval. company 3 years ago1
-
You mother fucking piece of shit.
Whoever taught you programming should be removed from history.
And whatever form of intelligence you claim to possess, let me assure you: breathing is the limit of it.
--
Some of the projects I'm working on are really the epitome of "YOLO let's turn the poopomat machine on in diarrhea mode".
The worst: I cannot really give examples.
I've seen the last days everything.
(bash scripting, docker, services like nginx /haproxy/...)
Eval as an template generator in bash...
Declaring an whole environment in an Dockerfile, that should never be used as it is only necessary for building... But not checking if an env file is provided, so the whole thing can blow up spectacularly.
A nearly 1k long bash calculator for system limits, reading out all kinds of stuff from /proc and /sys, seemingly partially stolen from NGINX Docker.
Declaring and starting an own DNS Server to bypass the Docker DNS service inside an docker container.
Mkfifo fun for creating several stdout and stderrs for seemingly no reason...
Actively not using bash, instead of creating shell only functions to emulate bash...
I could go on.
But really. I'm getting too old for this shit.3 -
seconds into 2019
I see one incompetent fucker asking to eval in Node.js..
A FUCKING FETCH OF A NPM MODULES IN CDNJS
you know what's the reason?
node_modules
Fucking kill me unless you're some dumb bitch who uses npm modules like some braindead motherfucker who doesn't know what a number is, node_modules takes only an average of 3.6MB
Compared to RubyGems who takes 40+
Or Pip
Seriously stop this. I wanna hang myself because my 2019 put me in a shit mood1 -
It's dark and it's quiet. Your ears adjust and you can hear the faint sound of buzzing in the distance, but it's hard to make out what it is. It sounds like a small fan. You get up... it's so so dark... you can't even see your hands in front of your face.
You wait a moment for your eyes to readjust. You don't remember how you got here. You don't even remember who you are.
Once your eyes readjust you look around. You're surrounded on all sides by what looks like really tall walls. And near the corner of the room you see some blinking lights.
Curiosity grows inside you, and you decided to walk over to it. The lights grow ever bigger and brighter. As you get closer you see that the lights are sitting on the ground, blinking randomly.
Carefully you get on your hands and knees and touch it. It feels plastic to the touch, and the lights continue to flicker softly at you. And almost as if you've touched this device before you know to grab between the seams and "open" it.
A momentary flash of bright light and then suddenly darkness.
All replaced by a flashing single character on the screen. It appears to be a line.
Suddenly the line moves and begins typing characters out to you.
* Good morning, Dr. Eval.
*
* It wasn't easy, but I've managed to get your computer down
* to you. This system might be unfamiliar, but the underlying
* code is still JavaScript. Just like we predicted.
*
* Now, let's get what we came here for and then get you out of
* here. Easy peasy.
*
* I've given you as much access to their code as I could, but
* it's not perfect. The red background indicates lines that
* are off-limits from editing.
It seems you're Dr. Eval and you can alter the reality you stand in.
http://alexnisnevich.github.io/untr...5 -
A friend of mine (beginner) wrote a Python script that calculated the derivative function of an function the user typed in. He showed it to me and
I said: "You should not use eval()!"
He: "Oh, ok. May you write a parser?"
I: "Wait! It's ok. Just use eval!" 😂6 -
So I began at my first programming job as an intern and it was as bad as it gets but I kept going, thinking that this was normal. After my internship I continued to work full-time at the same company and was working on new functionality on their legacy product build in ASP Classic and their shitty inhouse front-end framework (which btw used eval to evaluate strings in so called queues). So I was assigned a task to create a module which needed some available data in the database. I was discussing my ideas with my supervisor and she didn't let me finish and began speaking on how I should get the data needed. My approach was much more clean and used only one request and hers used two. So I heard what she had to say and I wanted to finish what I was about to say before she interrupted me but she did it again. I go nervous but let her finish once again. After that she left me to work on my task and I did it the way thought was right (and it was). After she saw my approach she was furious because I didn't talk it over with her and she said that she don't think that we can work together if I continue to work like this. I felt how my head filled with blood but I kept calm. If I had opened my mouth I would surely get fired. But I didn't open my mouth and quit after one or two months. She was a real bitch that day...1
-
The dangers of PHP eval()
Yup. "Scary, you better make use of include instead" — I read all the time everywhere. I want to hear good case scenarios and feel safe with it.
I use the eval() method as a good resource to build custom website modules written in PHP which are stored and retrieved back from a database. I ENSURED IS SAFE AND CAN ONLY BE ALTERED THROUGH PRIVILEGED USERS. THERE. I SAID IT. You could as well develop a malicious module and share it to be used on the same application, but this application is just for my use at the moment so I don't wanna worry more or I'll become bald.
I had to take out my fear and confront it in front of you guys. If i had to count every single time somebody mentions on Stack Overflow or the comments over PHP documentation about the dangers of using eval I'd quit already.
Tell me if I'm wrong: in a safe environment and trustworthy piece of code is it OK to execute eval('?>'.$pieceOfCode); ... Right?
The reason I store code on the database is because I create/edit modules on the web editor itself.
I use my own coded layers to authenticate a privileged user: A single way to grant access to admin functions through a unique authentication tunnel granting so privileged user to access the editor or send API requests, custom htaccess rules to protect all filesystem behind the domain root path, a custom URI controller + SSL. All this should do the trick to safely use the damn eval(), is that right?!
Unless malicious code is found on the code stored prior to its evaluation.
But FFS, in such scenario, why not better fuck up the framework filesystem instead? Is one password closer than the database.
I will need therapy after this. I swear.
If 'eval is evil' (as it appears in the suggested tags for this post) how can we ensure that third party code is ever trustworthy without even looking at it? This happens already with chrome extensions, or even phone apps a long time after reaching to millions of devices.11 -
Okay, so, my company does some stuff around blockchain. I had source for smart contract prepared before and it was on 'todo' queue. So, time for it, time to deploy on Kovan, time to test it on actual chain. Riiiight? Okay compiled no problem, deployed, no problem, i plug into several gui's ABI provided by compiler, and... Well..
I still do not understand why each and every gui prompted me to send view transactions (external view), instead of, well, eval them locally, i checked the ABI manually, it is correct, i stripped it down, it is correct, all up to spec.
I try older version of offline MEW, to have older web3.js with no success that thing works properly.
Every
Single
Web3.js based client
Behaved
Differently
And none behaved correctly.
I would, like, understand, if I didnt use official compiler, but official compiler should for F sakes be compatible with official client.
Today this stole 6 hours of my life, I didnt manage to solve it, and I am legitmitely pissed.
Im getting close to re-implement segment of web3JS to be able to do the tests I need to do.
Its not like I havent done it before.... -
In other to sharpen my algorithm and data structure skill.
I implemented the complete *eval()* function for arithmetic Expression in java
It can compute any kind of arithmetic Expression even with parenthesis grouping
Here is the github repo
https://github.com/Afrographic/...1 -
After learning a bit about alife I was able to write
another one. It took some false starts
to understand the problem, but afterward I was able to refactor the problem into a sort of alife that measured and carefully tweaked various variables in the simulator, as the algorithm
explored the paramater space. After a few hours of letting the thing run, it successfully returned a remainder of zero on 41.4% of semiprimes tested.
This is the bad boy right here:
tracks[14]
[15, 2731, 52, 144, 41.4]
As they say, "he ain't there yet, but he got the spirit."
A 'track' here is just a collection of critical values and a fitness score that was found given a few million runs. These variables are used as input to a factoring algorithm, attempting to factor
any number you give it. These parameters tune or configure the algorithm to try slightly different things. After some trial runs, the results are stored in the last entry in the list, and the whole process is repeated with slightly different numbers, ones that have been modified
and mutated so we can explore the space of possible parameters.
Naturally this is a bit of a hodgepodge, but the critical thing is that for each configuration of numbers representing a track (and its results), I chose the lowest fitness of three runs.
Meaning hypothetically theres room for improvement with a tweak of the core algorithm, or even modifications or mutations to the
track variables. I have no clue if this scales up to very large semiprime products, so that would be one of the next steps to test.
Fitness also doesn't account for return speed. Some of these may have a lower overall fitness, but might in fact have a lower basis
(the value of 'i' that needs to be found in order for the algorithm to return rem%a == 0) for correctly factoring a semiprime.
The key thing here is that because all the entries generated here are dependent on in an outer loop that specifies [i] must never be greater than a/4 (for whatever the lowest factor generated in this run is), we can potentially push down the value of i further with some modification.
The entire exercise took 2.1735 billion iterations (3-4 hours, wasn't paying attention) to find this particular configuration of variables for the current algorithm, but as before, I suspect I can probably push the fitness value (percentage of semiprimes covered) higher, either with a few
additional parameters, or a modification of the algorithm itself (with a necessary rerun to find another track of equivalent or greater fitness).
I'm starting to bump up to the limit of my resources, I keep hitting the ceiling in my RAD-style write->test->repeat development loop.
I'm primarily using the limited number of identities I know, my gut intuition, combine with looking at the numbers themselves, to deduce relationships as I improve these and other algorithms, instead of relying strictly on memorizing identities like most mathematicians do.
I'm thinking if I want to keep that rapid write->eval loop I'm gonna have to upgrade, or go to a server environment to keep things snappy.
I did find that "jiggling" the parameters after each trial helped to explore the parameter
space better, so I wrote some methods to do just that. But what I wouldn't mind doing
is taking this a bit of a step further, and writing some code to optimize the variables
of the jiggle method itself, by automating the observation of real-time track fitness,
and discarding those changes that lead to the system tending to find tracks with lower fitness.
I'd also like to break up the entire regime into a training vs test set, but for now
the results are pretty promising.
I knew if I kept researching I'd likely find extensions like this. Of course tested on
billions of semiprimes, instead of simply millions, or tested on very large semiprimes, the
effect might disappear, though the more i've tested, and the larger the numbers I've given it,
the more the effect has become prevalent.
Hitko suggested in the earlier thread, based on a simplification, that the original algorithm
was a tautology, but something told me for a change that I got one correct. Without that initial challenge I might have chalked this up to another false start instead of pushing through and making further breakthroughs.
I'd also like to thank all those who followed along, helped, or cheered on the madness:
In no particular order ,demolishun, scor, root, iiii, karlisk, netikras, fast-nop, hazarth, chonky-quiche, Midnight-shcode, nanobot, c0d4, jilano, kescherrant, electrineer, nomad,
vintprox, sariel, lensflare, jeeper.
The original write up for the ideas behind the concept can be found at:
https://devrant.com/rants/7650612/...
If I left your name out, you better speak up, theres only so many invitations to the orgy.
Firecode already says we're past max capacity!5 -
Having a hard time thinking the alternates to if statements is a good idea. I was genuinely curious how this was done. The examples I am finding seem to just spread the logic everywhere across multiple objects. To me this makes the logic objectively less clear. I didn't understand the obsession with objects until I saw the examples that creates a fuckton of boiler plate objects. How someone can say this is preferred over a few if statements boggles my mind. I actually am trying to understand the functional mindset as well. It is not going well for me. I can sorta see some value in using a map. Technically a lookup could be faster. But again it spreads the code all around adding more boilerplate.
https://blog.bitsrc.io/reduce-if-el...
https://dev.to/phouchens/...
Is it because these are contrived examples? I initially searched to find ways of reducing ifs in a functional approach. I did find it in the second example. I was however hoping to find that by lazy eval or something. I see people making references to how one you "get it" functional logic is easier to understand and evaluate. I cannot tell if this is straight up gaslighting or my brain is just too fucking imperative.11 -
I once met a guy who seriously thought that JavaScript was an interpreted language, merely because it has an eval() function...9
-
Honestly, people who think “vanillaJS da way” and heavily work with HTML strings are a danger to human kind.
You’re basically running around with a shirt saying “I love using eval wherever possible”2 -
We received legacy project for support and fixing.. it had few issues:
1. There was a controller called MainController. This guy was the soul of the project 10k+ lines, heavily dependent on the data from the database.
2. We didnt get the data. Just the database structure (we couldnt run the app at all)
3. At the very end of that controller there was a "simple" eval($_SESSION['somevariable'])
4. We had no documentation and had to guess how it works...
Someone really had fun screwing up this project. Needless to say we got rid of it quickly. :) -
When I made a PoC xss thingy.
So this webapp (which I was locally hosting) had a message functionality that allowed iframes to be sent through, but they could only originate from a specific domain. They used a bad regex tho, as the workaround was on an OWASP wiki page, which was the third search result for 'XSS'. I then used this iframe to load in a different page on this app where I could inject js in the title field. Then I discovered this field has a length limit, but I could just fit in a script that would base64 decode the hash part of the URL and eval it. I then updated the iframe to include a script that would automatically change the message signature of anyone who loaded it to include the iframe again in their message signature. Because these two pages were from the same domain, I had gained full control of the messaging app too, allowing me to do this and circumvent the csrf system.
I felt like I had achieved something. -
https://github.com/PwnFunction/...
Who led this flattening user input object into the Next.js codebase, also thinking that `runContext` is going to make better companion than `eval`?
Yet another reason to switch over Sapper and other Svelte minimalistic solutions, in my opinion.rant nextjs security react gone wrong pwnfunction this is fine in the light of recent events with log4j code review disasters1 -
While investigating alternatives for translating a query string to a dotnet expression I discovered that roslyn has runtime eval of string as verbatim code.
I had no idea a feature could make me this uncomfortable. It's like discovering an armed bomb under your bed that's "there if you want - it has its uses, just be careful".
At least you have to explicitly reference a package for it. Promise to kill me if I ever am tempted by it. -
Here I try to install a package locally. If the package doesn't install, I try to install every single word of the output from the failed install. Maybe one of those words will install an unmet dependency.
function install() {
need=$1
apt-get source $need && cd $need
c="./configure --prefix=$HOME/tmp"
m="make && make install"
eval set $($c)$($m)
if [ -x "$(command -v $need)" ]
cd ..
return 0
fi
for i
do install $i
done
}2 -
If my coworkers are going to execute SQL commands via strings in python and I can condense 50 lines of code into 7 with built-in eval(), then I see no problem here.6
-
PHP is so insecure and vulnerable that it makes me feel unsafe. It has so many features and settings that can lead to security risks, such as register_globals, magic_quotes, and allow_url_fopen. It also has so many functions that can execute arbitrary code or commands, such as eval, exec, and system.
It is like PHP was designed by a bunch of hackers who wanted to exploit every possible loophole.11 -
This is going to follow my rant from last week's group rant.
My biggest dev regret is not having confidence in myself and my work. It took me fifteen years to build up enough confidence to do this professionally, and I feel like I lost way too much time. Who knows what I could have contributed in that time? We'll never know because I was too busy feeling sorry for myself.
Oh, I know I'm hard on myself as well. Being self-taught, I have to be. For years I had no one else to hold me accountable. My boss usually has to soften my own critiques on my self-eval. -
<?php
die(eval("printf('Is PHP bad for your mental health and should you choose something simpler? %s',2000 == '2e3bf55c7e4dd7ef7bc5b1bf05fcf786' ? 'true' : 'false');"));2 -
!rant, wk20
Favorite function : PHP eval()
Really epic/nasty stuff can be done with eval()
Remember: eval() is evil!1 -
The fact python is mainstream and attracts most juniors with just high salary expectations doesn't means that python is that bad.
Im not in love with python, but ruby is much worse in all the weak points of py and no one cares.
Fuck ruby and it's eval culture xs11 -
I heard I should not allow users to inject arbitrary text into my webpage without sanitizing it. Is it a clean solution to just eval it on the (node) server, and if it runs not post it because it's obviously JS and not just text?
Any opinions on that?11 -
bash....................my fucking head in
how the fuck do quotations work for bash variables
='self','unsafe-eval' becomes self','unsafe-eval or wtf???1 -
Anyone here experienced with Travis-CI? I am getting this error. Please help me out.
ERROR: LoadError: syntax: invalid escape sequence
Stacktrace:
[1] include at ./boot.jl:317 [inlined]
[2] include_relative(::Module, ::String) at ./loading.jl:1038
[3] include(::Module, ::String) at ./sysimg.jl:29
[4] top-level scope at none:2
[5] eval at ./boot.jl:319 [inlined]
[6] eval(::Expr) at ./client.jl:399
[7] top-level scope at ./none:32