----- Original Message -----
From: "federico.galassi" <federico@...>
Sent: Thursday, March 06, 2008 9:01 AM
>> Because it spares you from getting malicious code into your application.
>> Ultimately, the
> JSON decoder does eval() your string but not before validating and
> ensuring it has no
> executable code in it, just values.
> be taking json from their own servers.
Who says your server cannot be compromised? Never heard about SQL
injection? SQL is not the only thing that can be injected into a database
field, which your application might later happily disperse elsewhere. Even
if you are secured against SQL injection, you might not be able to prevent
> How much is the perfomance penalty between
> parsing and eval'ing? is there a way to say datasource to just eval the
The JSON utility does eval() the JSON string, it simply uses a three or four
regular expressions to validate it before it does so. It does very little at
engine (which is fast enough) three or four times before the actual eval()
doesn't really add much.
> Yahoo! Groups Links
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.516 / Virus Database: 269.21.5/1314 - Release Date:
> 05/03/2008 18:38