有没有一种安全的方法可以在 Perl 中使用 eval 解冻 Data::Dumper 输出?
我有一个使用冻结数据的对象:
sub frozen_data {
my $self = shift;
$Data::Dumper::Indent = 0;
$Data::Dumper::Terse = 1;
return Data::Dumper->Dump( [ $self->{_DATA}, ] );
}
以及相应的解冻:
sub thaw_data {
my ($self) = @_;
$self->{_DATA} = eval $self->{DATA};
}
这似乎运行良好,有什么问题吗?我也尝试通过 perlcritic 运行这个,我得到了这个:
Expression form of "eval" at line 69, column 22. See page 161 of PBP. (Severity: 5)
写这个的更好方法是什么?
I have an object that uses freezes data as such:
sub frozen_data {
my $self = shift;
$Data::Dumper::Indent = 0;
$Data::Dumper::Terse = 1;
return Data::Dumper->Dump( [ $self->{_DATA}, ] );
}
and a corresponding thaw:
sub thaw_data {
my ($self) = @_;
$self->{_DATA} = eval $self->{DATA};
}
this seems to work well, are there any issues with it? I also tried running this by perlcritic, and I get this:
Expression form of "eval" at line 69, column 22. See page 161 of PBP. (Severity: 5)
What's the better way to write this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
你可以通过告诉 Perl Critic to STFU 来解决这个问题:)
有时你需要做的事情通常是一种不好的做法。
You get around it by telling Perl Critic to STFU :)
Sometimes you need to do the thing that is only generally a bad practice.
决定您想要允许或禁止的内容,并设置一个 Safe 隔间并使用其 reval 方法。
Decide what you want to allow or forbid and set up a Safe compartment and use its reval method.
只要您知道该数据的唯一来源是您自己使用 Dumper 创建的冻结数据,就可以了。
另一种方法是使用 Dumper 之外的其他工具,例如 Storable。
As long as you know the only source of that data is the frozen data you yourself have created using Dumper, you're fine.
The alternative is to use something other than Dumper, such as Storable.
如果您要解冻 Data::Dumper 的输出,就没有办法解决这个问题。另一种选择是可存储。
如果您接受不受信任的输入并将其未经检查地交给
eval,您应该立即重新设计此机制,因为它让前门敞开。对于整理内部数据,我不会担心这个警告。There's no way around it if you're thawing output from Data::Dumper. An alternative is Storable.
If you're accepting untrusted inputs and handing them unchecked to
eval, you should immediately redesign this mechanism because it leaves the front door wide open. For marshalling internal data, I wouldn't sweat the warning.对于任何关注此问题并想知道是否要推出自己的序列化的人,通过查看这篇博客文章可能会有所裨益,该文章比较了几个现有序列化程序的列表,并给出了每个序列化程序的一些优点和缺点:
http://blogs.perl.org/users/steven_haryanto/2010/ 09/comparison-of-perl-serialization-modules.html
他提到了 Data::Dumper、Storable、YAML::XS、Data::Dump、XML::Dumper、JSON::XS、JSYNC 和 FreezeThaw 。他的结论是,所有这些都缺少一些功能:
另请参阅人们在评论中提出的观点。获得以前遇到过问题的人的观点是件好事,等等。
如果您正在滚动自己的序列化,您可能想看看那里提到的优点和缺点(速度、处理正则表达式等问题的能力和循环引用等)。这可能会为您避免一些您没有意识到可能会遇到的问题。
另外,当您使用 Dumper 进行序列化时,最好了解 Data::Dumper 为您提供的所有输出选项。
是否会进入一个数据库,在未来的某个时间,有人会想要使用 LIKE 模式执行 SQL 查询?如果是这样,你会很高兴你使用了 Sortkeys,因为这样你就可以像 '%akey=front%ckey=front_of_c%' 那样做,并且你只需要担心一个排序而不是 n 阶乘。
作为一个例子,这是我的一个朋友使用 Dumper 进行序列化的内容:
我建议阅读 Dumper 的文档,以便您可以了解这些选项所做的修改。
For anyone looking at this and wondering whether to roll their own serialization, there might be some benefit gained by looking at this blog post that compares a list of several existing serializers and gives some advantages and disadvantages of each:
http://blogs.perl.org/users/steven_haryanto/2010/09/comparison-of-perl-serialization-modules.html
He mentions Data::Dumper, Storable, YAML::XS, Data::Dump, XML::Dumper, JSON::XS, JSYNC, and FreezeThaw. He concludes that there are features missing from all of them:
Also see the points people made in the comments. It's just good to get the perspective of people who've run into issues before, etc.
If you are rolling your own serialization, you might want to look at the pros and cons mentioned there (speed, ability to handle things like regular expressions and circular references, etc). This can possibly head off problems for you that you haven't realized you were likely to run into.
Also, when you are using Dumper for serialization, it's good to understand all the options Data::Dumper gives you for output.
Is it going into a database where, some time in the future, someone is going to want to do a SQL query with a LIKE pattern? If so, you'll be happy you used Sortkeys because then you can do LIKE '%akey=front%ckey=front_of_c%' and you only have one ordering to worry about instead of n factorial.
As an example, here's what a friend of mine uses for serialization with Dumper:
I would recommend reading the docs of Dumper so you can understand what modifications those options make.