Re: json
- Posted by CoJaBo2 Aug 05, 2012
- 2469 views
Don't forget the context in which JSON is actually going to be used; e.g.
- The server happens to be using maps for several different tasks, e.g., to return SQL data, to keep track of internal server settings such as the DB password and billing API keys, store deserialized JSON for the shopping cart, etc.
- The user sets his cookie to {"Cart":[1,2,3,4,5,...,98,99,100]}, then adds some item to his cart.
- The server deserializes the cart data, adds that item to the end, then serializes it again and sends it back and/or converts it to HTML for display.
- The user's cookie now looks like this: {"Cart":[{/SENSITIVE DATA/},{/USELESS DATA/},{/SENSITIVE DATA/},{/USELESS DATA/},{/ITEM ADDED TO CART/},...,98,99,100,{/ITEM ADDED TO CART/}]}
Any assumption that "unlikely" circumstances like this will never happen could not be more invalid than when working with user-supplied data- it has to be bulletproof in all cases. The memoization hack fixes the crash, but nothing else. Another hack might fix this issue, but it would leave several more holes, and so on. It would also become needlessly convoluted.
The only way this can work reliably at all is with explicit typing, e.g., using the method above.
That would fix the map issue elegantly, as well as the issue of distinguishing arrays vs. strings and values such as nulls that cannot be represented in Eu.
