Tutorials Guides Reference Articles Cookbooks About

eval() 

eval(string)
Returns: any · Added in vES1 · Updated March 13, 2026 · Global Functions
javascript eval global dynamic-code

The eval() function evaluates JavaScript code represented as a string and returns the result of executing that code. It is one of the oldest and most powerful features of JavaScript, but also one of the most dangerous when misused.

Syntax

eval(string)

Parameters

ParameterTypeDescription
stringstringA string representing a JavaScript expression, statement, or sequence of statements.

Return Value

The result of evaluating the given code. If the string is empty, it returns undefined. If the code throws an error, that error is propagated to the caller.

Examples

Basic Usage

eval("2 + 2");
// 4

const x = 5;
eval("x * 2");
// 10

eval("JavaScript".toUpperCase());
// "JAVASCRIPT"

Evaluating Expressions

eval("Math.sqrt(16)");
// 4

eval("10 > 5");
// true

Executing Multiple Statements

eval("const a = 10; const b = 20; a + b");
// 30

Dynamic Property Access

const obj = { name: "Alice", age: 30 };
eval("obj.name");
// "Alice"

const prop = "age";
eval("obj." + prop);
// 30

Working with Arrays

eval("[1, 2, 3].map(x => x * 2)");
// [2, 4, 6]

eval("'abc'.split('')");
// ["a", "b", "c"]

Security Concerns

Using eval() is generally discouraged due to security and performance issues. Understanding these risks is crucial for writing secure JavaScript applications.

Code Injection Risk

// DANGEROUS: Never use eval() with untrusted input
const userInput = "console.log('hacked')";
eval(userInput);  // Executes arbitrary code!

Alternatives for Different Use Cases

Alternative: Function Constructor

// Safer alternative for simple expressions
const add = new Function("a", "b", "return a + b");
add(2, 3);
// 5

Alternative: JSON Parsing

// For parsing JSON, use JSON.parse() instead of eval()
const json = '{"name": "Alice", "age": 30}';
JSON.parse(json);
// { name: "Alice", age: 30 }

Alternative: Template Literals

// Instead of eval() for dynamic strings, use template literals
const name = "World";
const greeting = `Hello, ${name}!`;
// "Hello, World!"

Performance Implications

The eval() function is significantly slower than alternatives because it must invoke the JavaScript interpreter at runtime. Every call to eval() forces the engine to compile and execute new code, bypassing many optimizations.

// Slow: Using eval() in a loop
for (let i = 0; i < 1000; i++) {
  eval("x = " + i);
}

// Faster: Direct code
for (let i = 0; i < 1000; i++) {
  x = i;
}

When eval() Might Be Necessary

There are rare cases where eval() is the only practical solution:

  1. Dynamic code generation from trusted sources
  2. JSON parsing of deeply nested structures (though JSON.parse() is preferred)
  3. Macro systems that generate code at runtime
  4. Legacy code that cannot be refactored

Even in these cases, carefully validate and sanitize any input before passing it to eval().

See Also

  • Function constructor — Alternative for creating functions dynamically from strings
  • JSON.parse() — Safe way to parse JSON data without executing arbitrary code
  • Math.sqrt() — Square root function as an alternative to parsing with eval