Uh huh ... I feel exactly the same way about “evaling code taken from a database” as I do about the original way that JSON used to work.   JSON was conceptually simple in those early, trusting days:   “simply send JavaScript to the client, who can then execute it.”   (And, if you recall, PHP allowed you to send arbitrary variable-names in URL-strings, too.)   It is simply “too unsafe to consider” nowadays ... in addition to the fact that it introduces into the program “source-code that is not here.”   A genie you just can’t afford to let out of its bottle, regardless of language or situation.