What are the deficiencies of the built-in BinaryFormatter based .Net serialization? (Performance, flexibility, restrictions)
Please accompany your answer with some code if possible.
Example:
Custom objects being serialized must be decorated with the [Serializable] attribute or implement the ISerializable interface.
Less obvious example:
Anonymous types can not be serialized.
BinaryFormatter uses violates 2.), which is a huge security risk because it makes possible to run any code.
Due to security vulnerabilities in BinaryFormatter, the following methods are now obsolete and produce a compile-time warning with ID SYSLIB0011 . Additionally, in ASP.NET Core 5.0 and later apps, they will throw a NotSupportedException, unless the web app has re-enabled BinaryFormatter functionality.
Serialization is a process of converting an object into a stream of data so that it can be is easily transmittable over the network or can be continued in a persistent storage location. This storage location can be a physical file, database or ASP.NET Cache.
There are three types of serialization in . Net : Binary Serialization, SOAP Serialization and XML Serialization. Binary serialization is the process where you convert your . NET objects into byte stream.
If you mean BinaryFormatter
:
event
s)I've spent lots of time in this area, including writing a (free) implementation of Google's "protocol buffers" serialization API for .NET; protobuf-net
This is:
ISerializable
(for remoting etc) and WCFGiven any random object, it's very difficult to prove whether it really is serializable.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With