序列化对象文件时,C#的最佳实践 [英] C# best practice when serializing objects to file
问题描述
我建立一个小的应用程序,需要一个对象保存到文件以节省用户数据。
我有我的序列化到这个文件的两个问题:
I'm building a small app that needs to save an object to a file in order to save user data. I have two questions about my serialization to this file :
-
我创建的对象具有一定的公共属性和一个事件。我加了
[Serializable接口]属性为我的对象,然后意识到我不能在这一个事件序列化一个对象。
然后我发现,我可以再补充我上面的事件属性[字段:非序列化],也将努力。这是做到这一点的最好办法,或者我应该尝试建立我的序列化对象没有内部的任何事件?
The object I'm creating has some public properties and an event. I added the
[Serializable]attribute to my object, and then realized I can't serialize an object with an event in it. I then discovered that I can just add an attribute above my event[field:NonSerialized]and it will work. Is this the best way to do this, or should I try to build my Serializable objects without any events inside ?
我序列化对象可以节省一些用户有关应用程序设置。这些设置还不够敏感,去了解他们的文件进行加密,但我还是不希望他们用手工篡改,而无需打开我的应用程序。当我使用纯的BinaryFormatter 对象,通过序列化()方法序列化我的对象到一个文件,我看可读在该文件中.NET对象类型的名称我保留这。有没有办法有人逆向工程这一点,看看什么东西被保存不使用我的程序?有没有人来建立一个小型应用程序,并找出如何反序列化该文件中的信息的一种方式?如果是这样,我怎么会去在这个文件中隐藏的信息?
The object I'm serializing saves some user settings about the app. These settings aren't sensitive enough to go about encrypting them in the file, but i still don't want them to be tampered with manually without opening my application. When i serialize my object to a file using a plain BinaryFormatter object, via the Serialize() method, I see readable names of .net object types in the file i'm saving this to. Is there a way for someone to reverse engineer this and see what's being saved without using my program ? Is there a way for someone to build a small application and find out how to DeSerialize the information in this file ? If so, how would i go about hiding the information in this file ?
是否有任何其他提示/建议/最佳做法,我应该坚持将有关这种情形的序列化对象到一个文件时?
Are there any other tips/suggestions/best practices i should stick to when going about serializing an object to a file in this kind of scenario ?
在此先感谢!
推荐答案
如果你的对象实现的 ISerializable的 界面,可以控制所有存储数据/序列化你自己,你可以控制反序列化。
If your object implements the ISerializable interface, you can control all the data that is stored/serialized yourself, and you can control the deserialization.
这是很重要的,如果您的项目在时间上的发展。因为你可能会下降一些属性,添加一些或更改的行为。
This is important if your project evolves in time. Because you might drop some properties, add others, or change the behaviour.
我总是一个版本添加到系列化袋。这样,我知道什么是对象的版本,当它被存储起来,我为此知道如何反序列化。
I always add a version to the serialization bag. That way I know what was the version of the object when it was stored, and I therefor know how to deserialize it.
[Serializable]
class Example : ISerializable {
private static const int VERSION = 3;
public Example(SerializationInfo info, StreamingContext context) {
var version = info.GetInt32("Example_Version", VERSION);
if (version == 0) {
// Restore properties for version 0
}
if (version == 1) {
// ....
}
}
void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context) {
info.AddValue("Example_Version", VERSION);
// Your data here
}
}
如果你不加密,这将是很容易阅读您的数据。很容易这意味着你可能需要投入几个小时。如果您存储数据是值得一两天,这意味着它很容易,如果是只值一两分钟做起来很难。如果你明白了吧。
And if you do not encrypt, it will be very easy to "read" your data. Very easy meaning you might have to invest a couple of hours. If the data you store is worth a couple of days, this means it is easy, if it is only worth a couple of minutes it is hard. If you get the point.
一个很简单的方法来加密数据通过的 ProtectedData 类。
A very easy way to encrypt your data is using the Windows DPAPI through the ProtectedData class.
这篇关于序列化对象文件时,C#的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
