|
Re: Data Dumper, Eval, Security
by Ovid (Cardinal) on Jun 12, 2003 at 19:41 UTC
|
Check out YAML. It's a fast data serialization language that is frequently a better alternative to Data::Dumper. I suspect the latter is still around mostly due to inertia. You can also read about YAML at the YAML web site.
On the other hand, I don't know that YAML will let me do this:
print Data::Dumper->Dump(
[$foo,$bar,$baz],
[qw(*foo *bar *baz)]
);
That last bit will Dumper variables with the labels you assign (instead of the usual $VAR1, $VAR2, etc. labels). It's pretty nifty.
Cheers,
Ovid
New address of my CGI Course.
Silence is Evil (feel free to copy and distribute widely - note copyright text) | [reply]
[d/l] |
|
|
| [reply] |
Re: Data Dumper, Eval, Security
by halley (Prior) on Jun 12, 2003 at 20:02 UTC
|
Don't use Dumper/eval where you need speed or compactness. Use the Freeze/Thaw, YAML, or other serialization methods. They all have basically the same issues of deep-copy, shallow-copy, circular-references, references-out-of-domain, etc. I like to use Dumper/eval until I know my persistence code is working reasonably well, then use something else in its place for production. Testing oddball cases may be very important.
As for security, you have posed a larger question. If an untrusted entity can surreptitiously influence the data to be loaded at all, then NO deserialization (loader) method is immune to attack. The security angle is completely orthogonal to the serialization feature, so don't let security dictate your choice there.
You can try to validate the data with a known digest/signature (such as MD5SUMs), or you can try to armor the data with a known encryption method (such as via a GPG public key), but beyond that, every loader is vulnerable. The only solution for security is to make it impossible for anyone to alter, or sometimes even read, the data. How you do that is up to you.
--
[ e d @ h a l l e y . c c ]
| [reply] |
Re: Data Dumper, Eval, Security
by theorbtwo (Prior) on Jun 12, 2003 at 21:24 UTC
|
While not using eval() is a good thing, as far as security goes, note that if you're worried about your data store possibly being messed with by Bad People, you shouldn't trust the data (IE treat it as tainted, preferably by actualy tainting it), no matter what method you use to recessitate it.
Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).
| [reply]
[d/l] |
Re: Data Dumper, Eval, Security
by perrin (Chancellor) on Jun 12, 2003 at 20:15 UTC
|
Data::Dumper is for debugging. For storing data and restoring it, you should use Storable. | [reply] |
Re: Data Dumper, Eval, Security
by Jenda (Abbot) on Jun 12, 2003 at 20:37 UTC
|
do() is eval(). The only difference is that one reads and evals a file while the other evals a string.
Jenda
Always code as if the guy who ends up maintaining your code
will be a violent psychopath who knows where you live.
-- Rick Osborne
Edit by castaway: Closed small tag in signature | [reply]
[d/l]
[select] |
Re: Data Dumper, Eval, Security
by Aristotle (Chancellor) on Jun 15, 2003 at 13:16 UTC
|
| [reply] |