0

I have an inventory program that I create instances of objects in, and I'd naturally like to save it and then re-load it. I've completed it with pickle but I want to do it with the json module for added security.

I simply need to know how to write an Encoder/Decoder to serialize, and simplified steps would be great. I've gotten responses/help/advise to write like this:

(the link is to another stackoverflow question that's basically exactly what I'm trying to understand...it's short and contains code example)

How to save a dictionary of objects?

but I still don't quite get it. If you could comment the code in any examples you write I'd really appreciate it. I would also like to stay away from decorators if possible since I'm having a heck of a time understanding them as well.

martineau
  • 119,623
  • 25
  • 170
  • 301
AmericanMade
  • 453
  • 1
  • 9
  • 22
  • This isn't an answer, but why do you think json is more secure than pickle? Pickle is binary and json is text, so off the top of my head I would think pickle is slightly more secure to begin with. – Paul Cornelius Jul 13 '16 at 01:40
  • From everything I've read the last two days it's because other info can be put into a pickled file and then when re-opened, any commands or something that were written in are automatically put into place. They say that unless you are absolutely confident in the source where your getting your pickled data that you shouldn't open it. This [link](https://docs.python.org/3.4/library/pickle.html#module-pickle) can tell you all about it. – AmericanMade Jul 13 '16 at 01:47
  • I know. But the exact same statement can be made regarding json, which after all is just a different format for the file that contains your data. In practice you can hack a json file pretty easily with a text editor. So how does json help you? Are you investing a lot of time and effort to not-solve a problem? – Paul Cornelius Jul 13 '16 at 02:13
  • Maybe, but I already completed the project with `pickle`. I just saw everywhere, even in the `pickle` documentation that pickle is much less secure. As you can see, I don't know a bunch about either just yet! – AmericanMade Jul 13 '16 at 02:21
  • I've used both and I don't agree. Neither is secure - they're equally insecure, because both are just formats for data files. If you want security, you need to achieve that by making the files themselves secure. Writing a custom json interpreter isn't a huge deal but it's one more thing to learn, and it isn't a solution to your problem. – Paul Cornelius Jul 13 '16 at 02:37
  • I found a couple supporting threads for json over pickle. Might be worth a quick skim....[Link 1](http://stackoverflow.com/questions/6794454/json-vs-pickle-security) [Link 2](http://stackoverflow.com/questions/2259270/pickle-or-json) – AmericanMade Jul 13 '16 at 22:06
  • The security concern with pickle is that someone can hack your binary data file and insert an object that does harm when it gets unpickled. Since pickling supports arbitrary objects, that's possible; but is it realistic? Someone with a great deal of expertise, inside knowledge and malicious intent would have get his hands into your system. Do you really need to protect against that? OTOH you said you already have a working pickle implementation. You have to decide what's important for you. – Paul Cornelius Jul 14 '16 at 00:59
  • Yeah, I see your point. My goal is actually to just learn as much as possible so I want to do it both ways! I also do like the human readability of JSON, so maybe that's why I'm so interested! Thanks for all the input! – AmericanMade Jul 14 '16 at 01:56

0 Answers0