问题
I have a piece of code that receives a string formatted as a python dictionary
"{'a':'1','b':'2',...}"
which I need to convert to a proper dictionary.
I have tried two approaches, using json.loads(s)
and ast.literal_eval(s)
ast seems to be much more robust, accepting any form of quotes in the string and "just works" while json seems to be very picky about the quoting specifics and wouldn't fail on only a single form of quote format. I really would like to be as flexible as possible with the input and thus prefer to use ast
, however, some of my colleagues claim it might not be a "safe" module and function to use.
Can anyone advise on ast and ast.literal_eval() safety, especially compared to json.loads() ?
thanks
回答1:
Use ast.literal_eval()
- it's designed to do what you want. JSON happens to work as the syntax matches, but that isn't something you should rely on.
As to safety, literal_eval()
is specifically designed to be safe to use on data from untrusted sources. The first word of the docs, in fact, is 'Safely':
Safely evaluate an expression node or a string containing a Python expression. The string or node provided may only consist of the following Python literal structures: strings, numbers, tuples, lists, dicts, booleans, and None.
This can be used for safely evaluating strings containing Python expressions from untrusted sources without the need to parse the values oneself.
Those that advised you against using it were probably thinking of eval()
, which is indeed unsafe.
来源:https://stackoverflow.com/questions/12735106/python-ast-vs-json-for-str-to-dict-translation