27

I have a script that changes a dict to a string and saves it to a file. I'd like to then load that file and use it as a dict, but it's a string. Is there something like int("7") that can change a string formatted as a dict ({a: 1, b: 2}) into a dict? I've tried dict(), but this doesn't seem to be what it does. I've heard of some process involving JSON and eval(), but I don't really see what this does. The program loads the same data it saves, and if someone edits it and it doesn't work, it's no problem of mine (I don't need any advanced method of confirming the dict data or anything).

Improve this question
5
  • If you are trying to serialize a dict why don't you just use pickle? Commented Dec 3, 2012 at 1:31
  • Yeah, why are you doing this in the first place? Commented Dec 3, 2012 at 1:32
  • @MatthewAdams What do you mean? Commented Dec 3, 2012 at 1:33
  • Pickle serializes Python objects. What @MatteoItalia is pointing out is that if you're writing dictionaries to file and need them to become valid objects again, you might as well use pickle to ease the transition. Commented Dec 3, 2012 at 1:33
  • 1
    Oh, I misread your question. Yeah you want to serialize the dictionary; pickle is one way to do that. Commented Dec 3, 2012 at 1:35

4 Answers 4

Reset to default
57

Try this, it's the safest way:

import ast ast.literal_eval("{'x':1, 'y':2}") => {'y': 2, 'x': 1}

All the solutions based in eval() are dangerous, malicious code could be injected inside the string and get executed.

According to the documentation the expression gets evaluated safely. Also, according to the source code, literal_eval parses the string to a python AST (source tree), and returns only if it is a literal. The code is never executed, only parsed, so there is no reason for it to be a security risk.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

I didn't know about ast module, thanks for this one!
Why is this safer? Isn't it susceptible to the same problem?
Oh, found the answer. It's because ast.literal_eval only works on literals. source
@MatthewAdams according to the documentation the expression gets evaluated safely. Also, according to the source, literal_eval parses the string to a python AST (source tree), and returns only if it is a literal. The code is never executed, only parsed, so there is no reason to be a security risk
Cool. I knew about ast, but I wouldn't have thought of using it here. +1
|
15

This format is not JSON, but YAML, which you can parse with PyYAML:

>>> import yaml >>> s = '{a: 1, b: 2}' >>> d = yaml.load(s) >>> d {'a': 1, 'b': 2} >>> type(d) <type 'dict'>
Improve this answer

2 Comments

This successfully converts it. Using json libraries or dict() on the string will fail. Thanks.
the yaml trick does not work well with dicts like In [12]: ast.literal_eval(s) Out[12]: {u'username': u'test'} In [13]: yaml.load(s) Out[13]: {"u'username'": "u'test'"}
8

You can use eval if you trust the input string.

>>> a=eval('{"a":1,"b":2}') >>> a {'a': 1, 'b': 2}
Improve this answer

10 Comments

However, for the sake of completeness, it should be noted that using eval is generally a bad idea.
@kuyan what's wrong with eval? People act like string-to-dict is like feeding data from online directly into a root command line.
@tkbx: eval would be okay if you're completely confident that the output is safe. But, if you don't, it could be as bad as feeding data from online directly into the command line - for example, if somebody swapped the expected input with an os.system call.
@tkbx Haha, yeah but someone could swap out the file you're reading from with a file containing malicious python code and the eval in your program would happily run it.
@tkbx Is it really important in this specific situation? Probably not. But the principle is definitely important. What if the people that wrote Microsoft Word took the same approach? If a hacker discovered that all they had to do to gain control of a system was modify one file, then that makes their "job" a whole lot easier. It's good to code with security in mind.
|
4

Serialization

What you are talking about doing is object serialization, and there are better ways of doing it than rolling your own serialization method (though you seem to have come up with YAML). Both of these are still less secure than the ast.literal_eval() approach (pickle particularly), but they definitely should be noted here.

JSON

Here is an example of doing what you want using JSON, a popular cross-language format:

import json myDict = {'a':1, 'b':2} # write to the file 'data' with open('data','w') as f: json.dump(myDict, f) # now we can load it back with open('data','r') as f: myDictLoaded = json.load(f) print myDictLoaded

Output:

{u'a': 1, u'b': 2}

pickle

Here is a second example doing the same thing using pickle. pickle is more powerful in that it can serialize all* python objects, even ones you write.

import cPickle as pickle myDict = {'a':1, 'b':2} # write to the file 'data' with open('data','w') as f: pickle.dump(myDict, f) # now we can load it back with open('data','r') as f: myDictLoaded = pickle.load(f) print myDictLoaded

Output:

{'a': 1, 'b': 2}
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.