non-pickle persistance for dicts?
Ian Kelly
ian.g.kelly at gmail.com
Wed May 16 18:11:21 EDT 2012
On Wed, May 16, 2012 at 3:52 PM, Charles Hixson
<charleshixsn at earthlink.net> wrote:
> I want to persist simple dicts, but due to the security problems with
> (un)pickle, I'd prefer to not use shelve, and the only way I could see to
> persist them onto sqlite also invoked pickle.
>
> As (un)pickle allows arbitrary system commands to be issued, I'd really
> rather just use a simple convert to and from either bytes or strings. repr
> works well for the conversion into string (I said they were simple), but I'd
> really rather be able to turn "{'a': 'A', 1: 23, 2: ['b', 2]}" back into a
> dict without allowing the execution of arbitrary commands.
>
> Any suggestions?
Either json, or repr with ast.literal_eval will be safe.
>>> import json
>>> d = {'a': 'A', 1: 23, 2: ['b', 2]}
>>> json.dumps(d)
'{"a": "A", "1": 23, "2": ["b", 2]}'
>>> json.loads(json.dumps(d))
{'a': 'A', '1': 23, '2': ['b', 2]}
>>> import ast
>>> ast.literal_eval(repr(d))
{'a': 'A', 1: 23, 2: ['b', 2]}
Cheers,
Ian
More information about the Python-list
mailing list