Don't use Dumper/eval where you need speed or compactness. Use the Freeze/Thaw, YAML, or other serialization methods. They all have basically the same issues of deep-copy, shallow-copy, circular-references, references-out-of-domain, etc. I like to use Dumper/eval until I know my persistence code is working reasonably well, then use something else in its place for production. Testing oddball cases may be very important.

As for security, you have posed a larger question. If an untrusted entity can surreptitiously influence the data to be loaded at all, then NO deserialization (loader) method is immune to attack. The security angle is completely orthogonal to the serialization feature, so don't let security dictate your choice there.

You can try to validate the data with a known digest/signature (such as MD5SUMs), or you can try to armor the data with a known encryption method (such as via a GPG public key), but beyond that, every loader is vulnerable. The only solution for security is to make it impossible for anyone to alter, or sometimes even read, the data. How you do that is up to you.

--
[ e d @ h a l l e y . c c ]

In reply to Re: Data Dumper, Eval, Security by halley
in thread Data Dumper, Eval, Security by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.