sebastiannielsen2:

I've been using JSON for persisting data structures lately, and am pretty happy with it. (One reason is that we're a multilanguage shop, and plenty of systems use JSON for I/O.)

...roboticus

When your only tool is a hammer, all problems look like your thumb.

That's not correct, both are designed to produce perl code which can be evaled . Furthermore is Data::Dumper a core module.

Though there are traps when dealing with special structures like objects and recursive references (similar with JSON)

As long as you are only dealing with hashes, arrays and "normal" scalars (like strings) you should be more than fine.

Is Data::Dump/Data::Dumper safe with unsanitized user input/unsafe data? Im feeding email data directly into a hash. Dumping the hash is no problem, but undumping it with eval. Is Data::Dump/Data::Dumper making sure any code inside Always is completely 100% safe to run - provided I only deal with hashes, strings and arrays?

> safe with unsanitized user input/unsafe data?

Good question ...

lets test:

  DB<103> $hash={ key => ' text @{[print "Injection" ]} text' }
 => { key => " text \@{[print \"Injection\" ]} text" }

  DB<104> use Data::Dumper

  DB<105> $str = Dumper $hash
$VAR1 = {
          'key' => ' text @{[print "Injection" ]} text'
        };

  DB<106> eval $str
 => { key => " text \@{[print \"Injection\" ]} text" }

  DB<108> print $VAR1->{key}
 text @{[print "Injection" ]} text
[download]

Looks fine for me. =)

update

Explanation: Data::Dumper puts strings into single quotes, so no danger of interpolation.

Data::Dump uses double quotes, but escapes all sigils.

update

NB: eval of included strings can still be dangerous! They don't sanitize dangerous strings for you, they will just reproduce the original data structure.

Cheers Rolf
_{(addicted to the Perl Programming Language and ☆☆☆☆ :)}

PS: Je suis Charlie!