Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re: Accessing variables in an external hash without eval

by afoken (Chancellor)
on May 17, 2017 at 07:59 UTC ( #1190445=note: print w/replies, xml ) Need Help??


in reply to Accessing variables in an external hash without eval

Consider using a different storage format. I would choose JSON:

FormatHuman readableArbitary structures
(See update below)		8-bit cleanVersion independantCross languageMay execute code from fileUnexpected network accessMemory usage attackComments
Perl source code (generated manually or by tools like Data::Dumper)kind ofyesyesmostlyno (only perl can parse Perl)yesby executable codeby executable codeyes
Storablenoyesyesno (depends on Perl version, limited compatibility with other versions)nonononono
XMLyesyesno
  • \x00 is illegal in XML, workaround like base64 required
  • any amount of whitespace is often treated as a single space (CDATA required)
yesyesnoyesyesyes
YAMLyes (but with strange rules)yesyesyesyesyes (may be disabled)by executabe codeby executabe codeyes
JSONyesyesyesyesyesnononono (but some parsers allow Javascript or shell comments)
INIyesno, only HoHno (escaping rules depend on reader and writer)yesyesnononoyes
CSVyesno, only 2D-Array (AoA)no (escaping rules depend on reader and writer)yesyesnononono

See also Re^4: The safety of string eval and block eval. and Re^2: Storing state of execution

Updates:

"Arbitary structures" was not meant as arbitary as I wrote, thanks tobyink++. It should read something like "any mix of scalars, arrays, and hashes, without circular references, handles, code references, globs".

"Memory usage attack" means that either the parsed file uses significantly more memory (several orders of magnitute) than the file size, or parsing the file may execute code that allocates much memory.

"Unexpected network access" means either that parsing the file completely and correctly may require reading additional data from the internet, or parsing the file may execute code that accesses the network.

"8 bit clean" means that any binary data may be stored and fetched.

Added comments column

Added Data::Dumper

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
  • Comment on Re: Accessing variables in an external hash without eval

Replies are listed 'Best First'.
Re^2: Accessing variables in an external hash without eval
by tobyink (Canon) on May 17, 2017 at 08:46 UTC

    JSON cannot store "arbitrary structures". Not unless your definition of "arbitrary" is extremely limited. It can't contain cyclic references for example. Something like this can be represented in Perl code, Storable, YAML, and (using IDREF) probably in XML, but not JSON…

    use strict;
use warnings;
use Data::Dumper qw(Dumper);
use YAML::XS qw(Dump);

my $data = do {
   my $child  = {};
   my $parent = { child => $child };
   $child->{parent} = $parent;
};

print "#### Perl ####\n";
print Dumper($data), "\n";

print "#### YAML ####\n";
print Dump($data), "\n";

    [download]
[reply]
[d/l]
      JSON cannot store "arbitrary structures". Not unless your definition of "arbitrary" is extremely limited. It can't contain cyclic references for example.

      You are right.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1190445]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others meditating upon the Monastery: (5)
As of 2023-12-10 19:53 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    What's your preferred 'use VERSION' for new CPAN modules in 2023?











    Results (41 votes). Check out past polls.
    Notices?