在我的Python程序中,我使用了Pickle模块来保存用户定义,然后在下次运行程序时将它们加载回来.现在我从Python Wiki网站上的UsingPickle文章中了解到,Pickle文件很可能被黑客攻击等等,使其变得不安全.
我注意到Pickle文件通常只留在Python脚本所在的目录中.有没有办法让这些文件更安全,远离视线?如果是这样,当在安装脚本中包含Pickle文件时,这会如何影响我在脚本上使用cx_Freeze?
import pickle
terms = pickle.load(open("save.p", "rb"))
def print_menu():
print('Computing Terms')
print()
print('0. Quit')
print('1. Look Up a Term')
print('2. Add a Term')
print('3. Redefine a Term')
print('4. Delete a Term')
print('5. Display All Terms')
while True:
print_menu()
print()
choice = input('Choice: ')
if choice == '0':
break
elif choice == '1':
print('\n')
term = input('Type in a term you wish to see: ')
if term in terms:
definition = terms[term]
print('\n')
print(term, '-', definition, '\n')
print()
print('----------------------------------------------------------------')
print()
print()
else:
print('This term does not exist. Try adding it instead.\n')
print()
print('----------------------------------------------------------------')
print()
print()
elif choice == '2':
print('\n')
term = input('What term would you like to add?: ')
if term not in terms:
print('\n')
definition = input('What\'s the definition?: ')
terms[term] = definition
pickle.dump(terms, open("save.p", "wb"))
print('\n')
print(term, 'has been added.\n')
print()
print('----------------------------------------------------------------')
print()
print()
else:
print('\n')
print('Term already exists, try redefining it instead.\n')
print()
print('----------------------------------------------------------------')
print()
print()
elif choice == '3':
print('\n')
term = input('Which term do you want to redefine?: ')
if term in terms:
definition = input('What\'s the new definition?: ')
terms[term] = definition
pickle.dump(terms, open("save.p", "wb"))
print('\n')
print(term, 'has been redefined.\n')
print()
print('----------------------------------------------------------------')
print()
print()
else:
print('\n')
print('That term doesn\'t exist, try adding it instead.')
print()
print('----------------------------------------------------------------')
print()
print()
elif choice == '4':
print('\n')
term = input('Which term would you like to delete?: ')
if term in terms:
del terms[term]
pickle.dump(terms, open("save.p", "wb"))
print('\n')
print('The term has been deleted.\n')
print()
print('----------------------------------------------------------------')
print()
print()
else:
print('\n')
print('This term doesn\'t exist.')
print()
print('----------------------------------------------------------------')
print()
print()
elif choice == '5':
print('\n')
print('The terms available are: ')
print()
for term in sorted(terms):
print(term)
print()
print()
print('----------------------------------------------------------------')
print()
print()
else:
print('\n')
print('Sorry, but ', choice, ' is not a valid choice.\n')
print()
print('----------------------------------------------------------------')
print()
print()
如果您担心的是用户能够轻松地将任意代码注入到程序中,那么最好的办法是切换到另一种存储格式,该格式只存储您想要的数据类型,例如JSON,XML,MsgPack等.
如果您担心的是用户能够轻松更改值并因此破坏程序逻辑(例如在游戏中作弊),则应考虑加密用户定义文件.
给客户的任何东西都应该被认为是不安全的.您应始终在加载时验证数据.