I want to build my queries dynamically and use the following snippet: --snip-- module.exports = { get : function(req, res, next) { var queryStr = "req.database.table('locations').get(parseInt(req.params.id))"; if (req.params.id) { if (req.fields) { queryStr += '.pick(' + req.fieldsStr + ')'; } console.log(queryStr); eval(queryStr).run(function(result) { console.log(result); res.send(result); }); } else if (!req.params.id) { --snip-- However introducing eval opens up my code to injection (req.fields is filled with url parameters) and I see the response time of my app increase from 7 to 11ms Is there a smarter way to accomplish what I did here? Please advice.