In a nutshell, the eval command takes whatever string you pass it as an argument, then compiles that string, and executes it. There are all kinds of problems with this design pattern: it has poor performance, uses too much memory, and is difficult to maintain. Let's focus on the security aspects. If an attacker is able to inject arbitrary script code into an input and get eval to execute that code, that is essentially the equivalent of the impact of a successful cross-site scripting attack. In my previous column, “Show Some Respect to Cross-Site Scripting,” I wrote about how cross-site scripting attacks can have extremely serious consequences, ranging from enabling phishing attacks to session hijacking and even self-propagating Web worms. Again, all of these attacks are still possible when executed through an eval injection.
Hopefully I"ve convinced you that using eval is a bad idea, and you're about to go scour your code looking for instances of it. That's a good start, but eval has cousins that go under different