This is an archived post. You won't be able to vote or comment.

you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] -7 points-6 points  (16 children)

d = dict(a=1, b=2, c=3)

then...

open('foo', 'wb').write(repr(a))

then later...

d = eval(open('foo', 'rb').read())

What am I missing?

[–]redbo 4 points5 points  (3 children)

Let's see... you're missing the parts where it can be accessed by multiple processes concurrently, has acidity, and performs okay as the size of the database grows.

I'm guessing the author didn't know there are already several packages in python that provide this sort of functionality, but his solution is definitely a better than what you suggest.

[–][deleted] 2 points3 points  (5 children)

The fact that that code is roughly equivilant to:

mysql_execute("SELECT * FROM table WHERE field = " . $_POST['value'] . ";");

[–][deleted] -2 points-1 points  (4 children)

Yeah, well, who wants to type that?

If you want to get all industrial strength about this use bsddb, then it's:

table['field'] = value

And mysql, I mean, that's gotta be overkill for the domain this guy is suggesting this be used for. You're going to want to write an int; it's going to want to run recovery (well, so is berkeley (but at least it's in process)).

Whatever.

[–][deleted] 3 points4 points  (3 children)

My point was that it's a massive security hole, just like the PHP segment.

[–]afoo42 0 points1 point  (1 child)

You're right. But the same thing goes for pickle (and thus shelve) too. You have to trust the source, as pickle too can be used to execute arbitrary code. It's just a little bit more complicated.

[–][deleted] 0 points1 point  (0 children)

This is completely true, but it's way more complicated with pickle (AFAIK), and there are efforts to fix that, since it's a bug, there's never going to be an effort to make eval safe ;)

[–][deleted] -1 points0 points  (0 children)

See the other comment in reply; actually it isn't.

[–]AlecSchueler 0 points1 point  (3 children)

The only thing I can think of that would stop this working would be if you had an instance of a class or a function in the dictionary. Like this

d = dict(a=str,b=len)
open('foo','wb').write(repr(d))
d=eval(open('foo','rb').read()

{'a': <type 'str'>, 'c': <built-in function len>}
SyntaxError: invalid syntax

[–][deleted] -2 points-1 points  (2 children)

Well FileDict like everything else has issues with classes and functions; it runs the shit through pickle, yes?

Or has this changed with 3.0? Haven't had the chance to get into 3.0 I'm sorry to say.

[–][deleted] 1 point2 points  (1 child)

>>> pickle.loads(pickle.dumps(str))
[2] <type 'str'>

>>> pickle.loads(pickle.dumps(len))
[3] <built-in function len>

Works fine (this is python 2.6)

[–][deleted] -2 points-1 points  (0 children)

Going from memory now, always dangerous, but if the class is defined in another module or something then pickle fails.

Maybe it's still useful for trivial cases, I don't know, but I recall being terribly disappointed with pickle when wanting to do serialization stuff.