如何用 Python 保存数据? [英] How to save data with Python?

问题描述

我正在编写一个 Python 程序，并希望用户能够保存他们正在处理的数据.我研究过 cPickle；看起来这将是一种快速简便的数据保存方法，但似乎不安全.由于可以腌制整个函数、类等，我担心流氓保存文件可能会将有害代码注入程序.有没有办法可以防止这种情况发生，或者我应该研究其他保存数据的方法，例如直接转换为字符串(这似乎也不安全)或创建 XML 层次结构，然后将数据放入其中.

I am working on a program in Python and want users to be able to save data they are working on. I have looked into cPickle; it seems like it would be a fast and easy way to save data, it seems insecure. Since entire functions, classes, etc can be pickled, I am worried that a rogue save file could inject harmful code into the program. Is there a way I can prevent that, or should I look into other methods of saving data, such as directly converting to a string (which also seems insecure,) or creating an XML hierarchy, and putting data in that.

我是python新手，请多多包涵.

I am new to python, so please bear with me.

提前致谢！

至于我存储的数据类型，主要是字典和列表.名称、速度等信息.目前相当简单，但未来可能会变得更复杂.

As for the type of data I am storing, it is mainly dictionaries and lists. Information such as names, speeds, etc. It is fairly simple right now, but may get more complex in the future.

推荐答案

从您的描述来看，JSON 编码是安全快速的解决方案.python2.6中有一个json模块，可以这样使用:

From your description JSON encoding is the secure and fast solution. There is a json module in python2.6, you can use it like this:

import json
obj = {'key1': 'value1', 'key2': [1, 2, 3, 4], 'key3': 1322}
encoded = json.dumps(obj)
obj = json.loads(encoded)

JSON 格式是人类可读的，与 python 中的字典字符串表示非常相似.并且没有任何像泡菜这样的安全问题.如果没有python2.6可以安装cjson或者simplejson

JSON format is human readable and is very similar to the dictionary string representation in python. And doesn't have any security issues like pickle. If you don't have python2.6 you can install cjson or simplejson

您不能使用 JSON 来保存像 Pickle 这样的 Python 对象.但是你可以用它来保存:字符串、字典、列表……对于大多数情况来说已经足够了.

You can't use JSON to save python objects like Pickle. But you can use it to save: strings, dictionaries, lists, ... It can be enough for most cases.

解释为什么pickle不安全.来自python 文档:

大多数安全问题围绕泡菜和cPickle模块涉及 unpickling.有没有已知的安全漏洞与酸洗有关，因为你(程序员)控制的对象pickle 将与之交互，以及所有它产生的是一个字符串.

Most of the security issues surrounding the pickle and cPickle module involve unpickling. There are no known security vulnerabilities related to pickling because you (the programmer) control the objects that pickle will interact with, and all it produces is a string.

但是，对于 unpickling，它从不解开不受信任的好主意来源可疑的字符串，因为例如，从套接字读取的字符串.这是因为 unpickling 可以创建意想不到的物体，甚至可能运行那些方法对象，例如它们的类构造函数或析构函数... 这个故事的寓意是你应该非常小心您的应用程序的字符串来源解封.

However, for unpickling, it is never a good idea to unpickle an untrusted string whose origins are dubious, for example, strings read from a socket. This is because unpickling can create unexpected objects and even potentially run methods of those objects, such as their class constructor or destructor ... The moral of the story is that you should be really careful about the source of the strings your application unpickles.

有一些方法可以保护自己，但在你的情况下使用 JSON 更容易.

There are some ways to defend yourself but it is much easier to use JSON in your case.

这篇关于如何用 Python 保存数据?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！