在我的Python程序中,我使用了Pickle模块来保存用户定义,然后在下次运行程序时将它们加载回来。现在我从Python Wiki网站上的UsingPickle文章中了解到,Pickle文件很可能被黑客攻击等等,使其变得不安全。
我注意到Pickle文件通常只留在Python脚本所在的目录中。有没有办法让这些文件更安全,远离视线?如果是这样,当在安装脚本中包含Pickle文件时,这会如何影响我在脚本上使用cx_Freeze?
import pickle
terms = pickle.load(open("save.p", "rb"))
def print_menu():
print('Computing Terms')
print()
print('0. Quit')
print('1. Look Up a Term')
print('2. Add a Term')
print('3. Redefine a Term')
print('4. Delete a Term')
print('5. Display All Terms')
while True:
print_menu()
print()
choice = input('Choice: ')
if choice == '0':
break
elif choice == '1':
print('\n')
term = input('Type in a term you wish to see: ')
if term in terms:
definition = terms[term]
print('\n')
print(term, '-', definition, '\n')
print()
print('----------------------------------------------------------------')
print()
print()
else:
print('This term does not exist. Try adding it instead.\n')
print()
print('----------------------------------------------------------------')
print()
print()
elif choice == '2':
print('\n')
term = input('What term would you like to add?: ')
if term not in terms:
print('\n')
definition = input('What\'s the definition?: ')
terms[term] = definition
pickle.dump(terms, open("save.p", "wb"))
print('\n')
print(term, 'has been added.\n')
print()
print('----------------------------------------------------------------')
print()
print()
else:
print('\n')
print('Term already exists, try redefining it instead.\n')
print()
print('----------------------------------------------------------------')
print()
print()
elif choice == '3':
print('\n')
term = input('Which term do you want to redefine?: ')
if term in terms:
definition = input('What\'s the new definition?: ')
terms[term] = definition
pickle.dump(terms, open("save.p", "wb"))
print('\n')
print(term, 'has been redefined.\n')
print()
print('----------------------------------------------------------------')
print()
print()
else:
print('\n')
print('That term doesn\'t exist, try adding it instead.')
print()
print('----------------------------------------------------------------')
print()
print()
elif choice == '4':
print('\n')
term = input('Which term would you like to delete?: ')
if term in terms:
del terms[term]
pickle.dump(terms, open("save.p", "wb"))
print('\n')
print('The term has been deleted.\n')
print()
print('----------------------------------------------------------------')
print()
print()
else:
print('\n')
print('This term doesn\'t exist.')
print()
print('----------------------------------------------------------------')
print()
print()
elif choice == '5':
print('\n')
print('The terms available are: ')
print()
for term in sorted(terms):
print(term)
print()
print()
print('----------------------------------------------------------------')
print()
print()
else:
print('\n')
print('Sorry, but ', choice, ' is not a valid choice.\n')
print()
print('----------------------------------------------------------------')
print()
print()
答案 0 :(得分:5)
如果您担心的是用户能够轻松地将任意代码注入程序,那么最好的办法是切换到仅存储您想要的数据类型的其他存储格式,例如JSON, XML,MsgPack等
如果您担心用户能够轻松更改值并因此破坏程序逻辑(例如在游戏中作弊),则应考虑加密用户定义文件。
任何给予客户的东西都应该被认为是不安全的。您应该始终在加载时验证数据。
答案 1 :(得分:0)
如果您想隐藏腌制文件,可以将其命名为.save.p,而不是save.p。这将在MacOS上使用默认文件管理器时隐藏它。
如果您的用户比这更聪明,您应该加密pickle文件。这是关于file encryption in Python的教程。这将添加一层安全性,但不会完全保护它,因为您仍需要确保加密密钥无法访问。
关于设置过程,我认为它不应该影响它。您只需要确保您具有所选文件的文件权限。