如何用Python保存数据?
我正在用 Python 编写一个程序,希望用户能够保存他们正在处理的数据。我研究过cPickle;看起来这将是一种快速而简单的保存数据的方法,但似乎不安全。由于整个函数、类等都可以被腌制,我担心流氓保存文件可能会将有害代码注入程序中。有没有办法可以阻止这种情况,或者我应该研究其他保存数据的方法,例如直接转换为字符串(这似乎也不安全)或创建 XML 层次结构并将数据放入其中。
我是Python新手,所以请耐心等待。
提前致谢!
编辑:至于我存储的数据类型,主要是字典和列表。诸如姓名、速度等信息。现在相当简单,但将来可能会变得更加复杂。
I am working on a program in Python and want users to be able to save data they are working on. I have looked into cPickle; it seems like it would be a fast and easy way to save data, it seems insecure. Since entire functions, classes, etc can be pickled, I am worried that a rogue save file could inject harmful code into the program. Is there a way I can prevent that, or should I look into other methods of saving data, such as directly converting to a string (which also seems insecure,) or creating an XML hierarchy, and putting data in that.
I am new to python, so please bear with me.
Thanks in advance!
EDIT: As for the type of data I am storing, it is mainly dictionaries and lists. Information such as names, speeds, etc. It is fairly simple right now, but may get more complex in the future.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
根据您的描述,JSON 编码是安全且快速的解决方案。 python2.6中有一个json模块,你可以这样使用它:
JSON格式是人类可读的,与python中的字典字符串表示非常相似。并且不存在像pickle那样的任何安全问题。如果没有 python2.6 可以安装 cjson 或 simplejson
不能使用JSON 用于保存像 Pickle 这样的 Python 对象。但你可以用它来保存:字符串、字典、列表……对于大多数情况来说这已经足够了。
解释为什么pickle不安全。来自python 文档:
有一些方法可以保护自己,但在您的情况下使用 JSON 会容易得多。
From your description JSON encoding is the secure and fast solution. There is a json module in python2.6, you can use it like this:
JSON format is human readable and is very similar to the dictionary string representation in python. And doesn't have any security issues like pickle. If you don't have python2.6 you can install cjson or simplejson
You can't use JSON to save python objects like Pickle. But you can use it to save: strings, dictionaries, lists, ... It can be enough for most cases.
To explain why pickle is insecure. From python docs:
There are some ways to defend yourself but it is much easier to use JSON in your case.
您可以执行以下操作:
写入
读取
我想知道是什么让您认为数据文件将被篡改,但您的应用程序不会被篡改?
You could do something like:
to write
to read
I wonder though what makes you think that the data files are going to be tampered but your application is not going to be?
*****在这个答案中,我只关心应用程序完整性的意外损坏。*****
Pickle 是“安全的”。可能不安全的是访问您没有编写的代码,例如在插件中;但这与泡菜无关。
当您pickle一个对象时,它的所有数据都会被保存,但代码和实现不会。这意味着当 unpickle 时,更新的对象可能会发现它内部有“旧式”数据(如果您更新实现)。这是您必须了解和处理的事情(如果适用)。
Pickling 字符串、列表、数字、字典非常简单并且工作完美,与 JSON 相当。 Pickle 的魔力在于——有时无需调整——即使是复杂的 Python 对象也可以被 pickle。但只有数据被腌制;只需通过保存的模块名称和对象的类型名称即可重建实例。
*****In this answer, I'm only concerned about accidental corruption of the application's integrity.*****
Pickle is "secure". What might be insecure is accessing code you didn't write, for example in plugins; that is not relevant to pickles though.
When you pickle an object, all its data is saved, but code and implementation is not. This means when unpickled, an updated object might find it has "old-style" data inside (if you update the implementation). This is something you must know and handle, if applicable.
Pickling strings, lists, numbers, dicts is very easy and works perfectly, and comparably to JSON. The Pickle magic is that -- sometimes without adjustment -- even complex python objects can be pickled. But only data is pickled; the instances are reconstructed simply by the saved module name and type name of the object.
在我们回答之前,您需要向我们提供更多背景信息:您要保存什么类型的数据、有多少数据、您想如何访问它?
至于泡菜:它们不存储代码。当您 pickle 函数或类时,存储的是名称,而不是实际代码本身。
You need to give us more context before we can answer: what type of data are you saving, how much is there, how do you want to access it?
As for pickles: they do not store code. When you pickle a function or class, it is the name that is stored, not the actual code itself.
您应该使用某种数据库。以 pickle 格式存储并不是一个好主意(在大多数情况下)。您可能会考虑:
您可能会在此处找到一些其他解决方案。
You should use a database of some kind. Storing in pickle format isn't a good idea (in most cases). You may consider:
You may find some other solutions here.
具体来说,谁是反社会者,正在努力通过破解 pickled 文件来破坏程序?
这是Python。反社会者有你的来源。他们不需要胡乱破解你的pickle 文件。他们可以编辑您的源代码并进行他们想要的所有“破坏”。
除非您卷入与有组织犯罪集团的诉讼,否则不要担心“不安全”。
不用担心“流氓保存文件可能会将有害代码注入程序”。当他们拥有源代码时,没有人会为流氓保存文件而烦恼。
Who -- specifically -- is the sociopath who's going through the effort to break a program by hacking the pickled file?
It's Python. The sociopath has your source. They don't need to fool around hacking your pickle file. They can just edit your source and do all the "damage" they want.
Don't worry about "insecurity" unless you're involved in litigation with organized crime syndicates.
Don't worry about "a rogue save file could inject harmful code into the program". No one will bother with a rogue save file when they have the source.
您可能喜欢使用 y_serial 模块
http://yserial.sourceforge.net
读起来像教程,但实际上提供了
用于序列化和持久化的工作代码。
评论讨论了一些优点和缺点
与此处提出的问题相关。
它被设计为一个通用的解决方案
使用 SQLite 存储压缩的 Python 对象
(几乎没有 SQL 大惊小怪;-)
希望这会有所帮助。
You might enjoy working with the y_serial module over at
http://yserial.sourceforge.net
which reads like a tutorial but operationally offers
working code for serialization and persistance.
The commentary discusses some of the pros and cons
relevant to issues raised here.
It's designed to be a general solution to
warehousing compressed Python objects with SQLite
(with almost no SQL fuss ;-)
Hope this helps.