I understand that the use of eval(json_str) on the client is vulnerable to malicious

Question

0

Asked: May 24, 20262026-05-24T03:11:25+00:00 2026-05-24T03:11:25+00:00

I understand that the use of eval(json_str) on the client is vulnerable to malicious

0

I understand that the use of eval(json_str) on the client is vulnerable to malicious code. My question is, if json_str was an array constructed by the PHP function json_encode, would I be safe?

For example,

json_str = json_encode(array(record1, 
                             record2, 
                             record3));

would it now be entirely safe to use eval(json_str) inside client-side code?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-24T03:11:26+00:00

Editorial Team

2026-05-24T03:11:26+00:00Added an answer on May 24, 2026 at 3:11 am

Yes and no:

Yes: PHP produces valid JSON

No: PHP may as well return malicious code as in JSON.

If you can trust the source, or if you even have full control over it (because its yours), there is no problem.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I understand that the use of eval(json_str) on the client is vulnerable to malicious

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply