Marshal Obj is String or Binary?
Jean-Paul Calderone
exarkun at divmod.com
Sat Jan 14 17:44:49 EST 2006
On Sat, 14 Jan 2006 16:58:55 -0500, Mike Meyer <mwm at mired.org> wrote:
>"Giovanni Bajo" <noway at sorry.com> writes:
>> casevh at comcast.net wrote:
>>> Try...
>>>>>> for i in bytes: print ord(i)
>>> or
>>>>>> len(bytes)
>>> What you see isn't always what you have. Your database is capable of
>>> storing \ x 0 0 characters, but your string contains a single byte of
>>> value zero. When Python displays the string representation to you, it
>>> escapes the values so they can be displayed.
>> He can still store the repr of the string into the database, and then
>> reconstruct it with eval:
>
>repr and eval are overkill for this, and as as result create a
>security hole. Using encode('string-escape') and
>decode('string-escape') will do the same job without the security
>hole:
Using marshal at all introduces a similar security hole, so security is not an argument against repr()/eval() in this context.
Jean-Paul
More information about the Python-list
mailing list