CodeProject: Nine reasons not to use serialization. Free source code and programming help

Report Article

Discuss

Send to a friend

84 votes for this Article.

Popularity: 4.21 Rating: 2.19 out of 5

Introduction

If you want to know how to get your application to save information to disk or the registry, then a quick skim through MSDN magazine or a quick search on newsgroups will give you the answer: serialization.

Mark your classes with the [Serializable] attribute and there you go. It’s a simple matter of creating a Formatter and a Stream and a couple of lines later it’s done. Alternatively, you could mark up your class with the necessary attributes and use XML Serialization.

All very simple, but unfortunately all very wrong. There are a number of reasons why you should not opt for the simple approach. Here are nine important ones.

1. It forces you to design your classes a certain way

XML serialization only works on public methods and fields, and on classes with public constructors. That means your classes need to be accessible to the outside world. You cannot have private or internal classes, or serialize private data. In addition, it forces restrictions on how you implement collections.

2. It is not future-proof for small changes

If you mark your classes as [Serializable], then all the private data not marked as [NonSerialized] will get dumped. You have no control over the format of this data. If you change the name of a private variable, then your code will break.

You can get around this by implementing the ISerializable interface. This gives you much better control of how data is serialized and deserialized. Unfortunately …

3. It is not future-proof for large changes

Type information is stored as part of the serialization information. If you change your class names or strong-name your assemblies, you’re going to hit all sorts of problems. Even if you manage to code the necessary contortions to get round this, you’re going to find that …

4. It is not future-proof for massive changes

.NET isn’t going to be around in five years or so. If you start implementing the ISerializable interface in your code now, then its tendrils are going to be everywhere in five years’ time. Your code is going to be full of little hacks to cope with version changes, class re-naming, refactoring, etc. Some time in the future, .NET will be superseded by something even more wonderful. Nobody knows what this something wonderful will be, but you can bet that writing code-read data serialized by version 1.1 of the .NET framework is going to be a pig. I wrote some VB6 code 5 years ago and used the Class_ReadProperties and Class_WriteProperties events to access PropertyBag objects. A neat, easy way of storing information to disk, I thought. And it was, until .NET came along and then I was stuck.

5. It is not secure

Using XML serialization is inherently insecure. Your classes need to be public, and they need to have public properties or fields. In addition, XML serialization works by creating temporary files. If you think you’re creating temporary representations of your data (for example, to create a string that you’re going to post to a web service), then files on disk will pose a potential security risk. If, instead, you implement the ISerializable interface and are persisting sensitive internal data, then, even if you’re not exposing private data through your classes, anyone can serialize your data to any file and read it that way, since GetObjectData is a public method.

6. It is inefficient

XML is verbose. And, if you are using the ISerializable interface, type information gets stored along with data. This makes serialization very expensive in terms of disk space.

7. It is a black box

The odds are you don’t really know how serialization works. I certainly don’t. This means that there are going to be all sorts of quirks and gotchas that you can’t even conceive of when you start using it. Did you know that XML serialization actually uses the CodeDom? When you think you’re creating a bunch of XML, .NET is actually doing some sort of compilation. What are the implications of that? The only thing I know is that I will not know about them until it’s too late.

8. It is slow

When I did some research for a previous article (http://www.devx.com/dotnet/Article/16099/0), I noticed a few interesting things. I wrote a class that contained two double values. I created 100,000 instances of this class, stored them to disk, and then read them back again. I did this two ways. First of all, I did it the “proper” way, by implementing ISerializable, creating a BinaryFormatter, and using the Serialize and Deserialize methods. Secondly, I did it the “dirty” way, by blasting the data straight out into a Stream. Which way was faster? Perhaps not surprisingly, the dirty way. About 50 times faster. Surprised? I was.

9. It is weird

ISerializable does a lot of cunning work. This means that it doesn’t necessarily behave the way you might expect. When you deserialize a collection of objects, for example, the constructors won’t get called in the order that you might think. Take the following code sample:

using System;
using System.Runtime.Serialization;
using System.Collections;
using System.IO;
using System.Runtime.Serialization.Formatters.Binary;

class Class1 
{

    static void Main(string[] args)
    {
        ParentClass c1=new ParentClass();
        BinaryFormatter f=new BinaryFormatter();
        MemoryStream m=new MemoryStream();
        f.Serialize(m, c1);
        m.Seek(0, SeekOrigin.Begin);
        ParentClass newClass=(ParentClass)f.Deserialize(m);
        Console.WriteLine("Deserialized\r\n{0}", newClass.ToString());
        Console.WriteLine("Press [Enter]");
        Console.ReadLine();
    }
}

[Serializable]
class ParentClass : ISerializable
{
    private ArrayList m_Collection;

    public ParentClass()
    {
        //set up the collection of child classes

        m_Collection=new ArrayList();
        m_Collection.Add(new ChildClass("Hello World!"));
        m_Collection.Add(new ChildClass("Hello again!"));
    }

    public override string ToString()
    {
        string s="";

        foreach (ChildClass c in m_Collection)
        {
            s=s+c.ToString()+"\r\n";
        }
        return s;
    }

    public ParentClass(SerializationInfo info, StreamingContext context)
    {
        //deserialize the child collection

        m_Collection=(ArrayList)info.GetValue("Collection", 
                                              typeof(ArrayList));

        //loop through what has just been deserialized


        Console.WriteLine("Just deserialized items:");

        //THESE WILL BE BLANK BECAUSE THE CHILD CLASSES HAVEN'T BEEN 

        // DESERIALIZED YET


        foreach (ChildClass c in m_Collection)
        {
            Console.WriteLine("{0}", c.ToString());
        }
    }

    public void GetObjectData(SerializationInfo info,  
                              StreamingContext context)
    {
        //serialize the collection

        info.AddValue("Collection", m_Collection);
    }
}

[Serializable]
class ChildClass : ISerializable
{
    private string m_TestString;

    public ChildClass(string testString)
    {
        m_TestString=testString;
    }

    public string TestString
    {
        get
        {
            return m_TestString;
        }
    }

    public override string ToString()
    {
        return m_TestString;
    }

    public ChildClass(SerializationInfo info, StreamingContext context)
    {
        Console.WriteLine("Deserializing a child class");
        m_TestString=info.GetString("v");
    }

    public void GetObjectData(SerializationInfo info, 
                              StreamingContext context)
    {
        info.AddValue("v", m_TestString);
    }
        
}

This code essentially serializes and de-serializes a parent object that contains a collection of child objects. You cannot, however, access the child objects from within the deserialization constructor of the parent object. The m_Collection object has been created, a value has been assigned to it, and info.GetValue(“Collection”, typeof(ArrayList)) has been called, but the m_Collection object does not contain any child objects. This is necessary given the way that serialization works, but it is not obvious behaviour. This, and other things, means that using serialization can be non-intuitive, and very hard to debug.

Have no regrets

Although .NET provides a number of quick and easy ways to serialize and deserialize data, do not use them. A week, a month, a year, or five years down the line you will regret it.

ANTS Profiler, the simple code profiling tool from Red Gate Software, will find bottlenecks in your apps and tell you what your code is really doing.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Neil Davidson

Neil Davidson is technical director of Red Gate Software (www.red-gate.com), a company that provides simple tools for Microsoft developers, testers and DBAs. He can be reached at neil.davidson@red-gate.com.

Location:

United Kingdom

Other popular .NET Framework articles:

The 30 Minute Regex Tutorial
Learn how to use regular expressions in 30 minutes with Expresso.
Strings UNDOCUMENTED
Detailed looked at the implementation of strings in .NET
Expresso - A Tool for Building and Testing Regular Expressions
For learning, building, and debugging .NET Framework regular expressions
Unraveling the Mysteries of .NET 2.0 Configuration
Learn how to utilize the powerful new .NET 2.0 configuration features to simplify and centralize your configuration code.
Simple Windows Service Sample
A simple application to show how to create a Windows service.

Article Top

You must Sign In to use this message board.

Msgs 1 to 25 of 140 (Total in Forum: 140) (Refresh)

FirstPrevNext

Subject

Author

Date

I agree...

E.T.

12:20 29 Jun '08

1. It forces you to design your classes a certain way

totally agree with that. I've been working with .NET XML serialization for over a year with a lot of classes that needed to be serialized. The good part is that XML serialization is way easy and fast. The bad part is I've never seen a single class that passed the XML serialization process without having to make a lot of changes that make any OO programmer sick. For instance:
1) I don’t want my class to have a parameterless constructor. It does not make sense to have one, so don’t force me to.
2) I must avoid the ICollection interface, otherwise the serializer will ignore your properties.
3) All properties have to be get/set, when most of the time, it is not necessary, or doesn’t make sense at all.
4) Timespan cannot be serialized (at least up to 2.0), so you again modify your class in order to serialize this information properly. (Ok not very important)

This should be removed

coffeemkr0

10:33 11 Feb '08

Wow, what a waste of time it was to read this. This is nothing but an opinion piece, it should be removed imo.
Sign In·View Thread·PermaLink	5.00/5 (2 votes)

I disagree

jgamezk

11:10 15 Oct '07

First of all, as said by many others, serialization is not only used for persistence. If you need to send data across a wire (i.e. network), you need to make your object a machine-independent memory-independent series of bytes to transfer. What other mechanism do you suggest for doing this?
The fact that you cannot guarantee (with only one design iteration) that your object will work in the future is a problem that goes back to the ancient “C++ fragile base class” problem. If the layout of your object changes , code has to be written to deal with this. I don’t see how you can avoid this problem no matter what method you use.

Every thing is told . Make sure you read the comments more careful.

zezeziza1

0:03 2 Sep '07

Every thing is told . Make sure you read the comments more carfully. Pouya Rahmati
Sign In·View Thread·PermaLink

Hilarious!

mbwoody77

3:54 8 Jun '07

Giving us nine reasons not to use a technology that you don't understand: "The odds are you don’t really know how serialization works. I certainly don’t" Priceless. Bryan
Sign In·View Thread·PermaLink	5.00/5 (1 vote)

Re: Hilarious!

Phil Liebscher

6:19 22 Jun '07

Hehe! I agree. Pretty darn hilarious. 'I fear that which I do not understand.' I say - 'the right tool for the job.' Serialization is fantastic when used appropriately. It's not a "Golden Hammer"... well, erm... for some folks I'm sure it is. Given that rational, the author should be able to come up with more than 9 reasons. -P
Sign In·View Thread·PermaLink

.Net serialization is a nightmare in high load applications

Khazbak

23:36 15 May '07

After using .Net binary serialization for almost two years, I agree it's very bad choice for all the reasons mentioned. I have a horrible performance bottleneck in a system serving few hundreds of TCP/IP connections. After intensive investigation it's very apparant that BinaryFormatter is the reason behind it.
Sign In·View Thread·PermaLink	2.00/5 (2 votes)

I disagree

Tristan Rhodes

6:59 27 Apr '07

I dissagree with some of the points in this article.

In terms of native object serialization, you are asking for trouble and it should be avoided for anything other than a cheesy network send hack. However, XML as a standard is not going anywhere, and things will be stored / serialized to and from it for years to come, reagardless of whether .Net exists.

The structure of the Xml should be designed with extensibility in mind, and any future proofing should be up to the actual developer. As for having to 'design' it into your application. Of course you do; any saving mechanism requires design to implement, whether binary, xml, database or JSON. However the mechanical components of your application should never be serialized directly, this is extremly bad practice.

If you create an XmlDocument that writes Nodes to it (Which incidently is what the XmlSerializer does), you are still locking yourself into the same format as using the XmlSerializer, but you can't change it as easily.

At the end of the day, serialization is just a storage medium, for either short or long term. If you want to secure it, encrypt the stream as you write it to a file.

Cheers

Tris

-------------------------------

Carrier Bags - 21st Century Tumbleweed.

5.00/5 (1 vote)

Re: I disagree

gbjbaanb

3:40 1 Feb '08

"cheesy network send hack". lol. The entire internet works off binary protocols, sorry "cheesy hacks".

The problem with XML is that it is very slow to format and parse. Very slow. If you sent a CSV-delimited text file you'd be much better off. IF you remove the commas and replaced them with character-count prefixes to each string then you'd be even more better off.

You can quite happily write to a binary stream instead and transmit that (remember to convert to network byte order, like every tcp/ip stream should be) and you'll be platform independant with only a little bit of work... but your stream will be a fraction of the size of your XML document, and will be significantly faster to serialise. If you think that today's computing resources are so fast that the overhead of using XML is acceptable, then you havn't been sendng it over a wireless or mobile connection.

XML is 'cool', but its a pretty poor solution to almost every task its used for.

Re: I disagree

Tristan Rhodes

0:26 12 Feb '08

Sure if memory / bandwidth isn't an issue.

My point is that serialization is essential as a tool for persistance of hierachical data, regardless of the medium used.

The type of serialization is implementation dependant, but serializing to XML is perfectly acceptable for long term storage on a file system. Similarly, it would not be appropriate for short term persistance over a low bandwidth connection.

gbjbaanb wrote:
The problem with XML is that it is very slow to format and parse. Very slow. If you sent a CSV-delimited text file you'd be much better off. IF you remove the commas and replaced them with character-count prefixes to each string then you'd be even more better off.

I completely agree if your emphasis is on Speed and Minimizing size. But premature optimisation wastes development time.

T

-------------------------------

Carrier Bags - 21st Century Tumbleweed.

Re: I disagree

aL3891

14:24 11 Jun '08

'XML is 'cool', but its a pretty poor solution to almost every task its used for. '

yeah, you know ive heard of this thing called "html".. i dont relly konw what it is.. some new thing.. its using xml though so im sure it wont be succesful at all

'The entire internet works off binary protocols'

well actually, the entire internet works of xml Smile

(thats itself is beeing serialized binary obviously, so you are technically correct Smile

)

Re: I disagree

gbjbaanb

0:28 12 Jun '08

Sure, XML is a good document format. Its good at persisting documents.

Its not good for a lot of other things that it is used for, probably becuase everyone and his dog thinks MXL = magic bullet that solves all problems.

The internet was a form of transmitting documents and HTML worked well for that, but once you start sending data, especially dynamic data, it starts to fall apart. You don;t see nayone converting their data streams to html and sending fully-parsed documents to the browser do you? No, the internet would become even slower!

For a good example, look at the differences between XML and JSON or YAML. One requires you to read the entire document into memory, is bloated with tags and is inefficient to read or write. JSON is a lot more stream-friendly and a lot smaller.

XML was a good first step in document formats, and had the handy ability to be useable for object serialisation. People have seen its disadvantages and created better formats since then.

"Black box"?

mike-obrien

18:45 14 Apr '07

Any managed Framework assembly can be disassembled with a tool like Reflector (http://www.aisto.com/roeder/dotnet/[^]) into your favorite language. Personally I think the .NET Framework is an open book. If you want to know whats going on under the hood just disassemble it and look for yourself! Mike O'Brien Developer www.mike-obrien.net
Sign In·View Thread·PermaLink

What a load of rubbish

AvoSoftwareTeam

4:17 12 Mar '07

If you do not like the way your classes are serialized then implement ISerializable and do it yourself. The same goes for only serializing public members and anyway what is wrong with this. Antway Serializable is much more than just saving settings. It's primary aim is for support of WebServices and remoting which it does very well.
Sign In·View Thread·PermaLink	5.00/5 (1 vote)

.net 2.0 serialization and #4 wtf

KynanHaas

13:21 13 Feb '07

See "custom serialization" in msdn library. (I know this didn't exist when the article was written).

The best practice and easiest way (introduced in version 2.0 of the .Net Framework) is to apply the following attributes to methods that are used to correct data during and after serialization:

OnDeserializedAttribute

OnDeserializingAttribute

OnSerializedAttribute

OnSerializingAttribute

Using attributes should help to decouple your oo design from the lock-ins of the platform, ie. you mention in 5 years time you don't want your code to be littered with references to dotnet serialization interfaces... attributes is a level higher.
ie. you could tag your save method:

[OnSerializedAttribute]
public bool Save() { }

That is relevant to every platform, obviously just follow the pattern of the new platform to invoke that save method.

The fact that you make the comment 'dotnet won't be around in 5 years' really takes away any credability that this article has. The article was written almost 3 years ago (?), so you've almost been proved wrong, if you haven't already conceeded that... .Net 3.0 has recently been released and the platform/framework is very rich in features.
You can imagine as dotnet goes forward more emphasis will be put on performance, any tuning to the framework means we get a performance boost - for nothing!

I'm a little scared to see you're in the business of promoting MS products if this is your attitude.

http://www.thesimpsonsquotes.com/

5.00/5 (1 vote)

I disagree [modified]

BrendanMc

18:30 8 Oct '06

1. It forces you to design your classes a certain way

Of course you need to write classes a certain way to enable them to be serialisable. Anyone who has experience in object oriented programming (NO VB6 and below does not count and in some cases neither does .NET) will know what serialisability is for. Learn OO then you will see serialising is a good thing

2. It is not future-proof for small changes and 3 and 4

Serialising allows you to transfer data objects between applications making the data portable from one program to another. IE, use a class library for your object model. When the need arises to use the data from a previous applications, you utilise this library of classes to read the data.

When a class becomes redundent and you deprecate its use or a new class is needed, DONT write a whole new class from scratch, use OO programming techniques and Extend the class you already have. T

his means that new fields, properties and methods can be implemented and older data can be read into the new class.

5. It is not secure

There are various techniques to obfuscate the data. Dont be so naieve.

6. It is inefficient

Yes serialisation can be inefficient BUT this TOO can be streamlined.

7. It is a black box

Serialisation is an open book. Its take the properties and store them to disk or a stream, a database etc., extremely black and white.

8. It is slow

Once again this can be streamlined.

9. It is weird

Yes contructors dont get called because your NOT creating an INSTANCE of the object. The object is being loaded into another instance. Simple.

_________________________
Brendan McLaughlin
InstinctFx.NET

5.00/5 (3 votes)

Agree with you

Jrc_

8:01 28 Jun '06

And you must implement protected constructor when you implement ISerializable. It destroys all merge faculties, on the contrary of Xml Serialization for example. --------------------------- Jrc - Jean Rémy Cohen Software .NET/J2EE engineer C~B Méditerranée, France ---------------------------
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

workaround for point 9

Snixtor

18:42 19 Mar '06

Point 9 is actually a curiosity I discovered a while ago when using serialization for the first time. Modify the ParentClass GetObjectData method to include this line:

info.AddValue("Workaround", new ChildClass("workaround"));

Hmm, suddenly the program no longer crashes on attempting to iterate through the ArrayList of ChildClass instances in its deserialization constructor. They're fully instantiated. Again, of course, being a black box, I have no idea why this happens, but it does. Perhaps a bug in the reflection class? Something to do with user defined classes perhaps. Afterall, if we substitute the elements of the ArrayList with Strings, they're immediately accessible during the ParentClass' deserialization constructor.

5.00/5 (1 vote)

Serialization is not just for persistence

JacobOReilly

10:14 1 Mar '06

I think it's important to note that the Serialization talked about in this article was not designed to be a great way to persist your data. It is a framework service that allows various forms of RPC to work with minimal effort. e.g. SOAP, MarshalByRef, server activated Serviced components, etc. Lets not forget one of the most common uses of this technology: state in web apps. Ever written code like this when you're using one of the out-of-process session state options? (Session Service or Database)
Session["MyKey"] = myObject;
The object better implement ISerializable or your code will fail (this is so common, in fact, that the ASP.NET team even added descriptive wording in the exception that occurs telling you what to do to fix it.)
The very same thing allows you to stick your object into ASP.NET ViewState if that's your thing.
Sure, you have to weigh up the performance, but seriously there's more to ISerializable than saving some data to disk.

SerializationBinder

ziade

14:54 8 Feb '06

Number 3 talks about changes to assemblies versions, fields in class, etc that will cause problems with deserialization. There is a class called the SerializationBinder that lets the user control which object deserializes the stream. I have used this before in a couple of projects and works great.
Sign In·View Thread·PermaLink	1.00/5 (1 vote)

IDeserializationCallback

ziade

13:57 8 Feb '06

In your code exmaple you write : //THESE WILL BE BLANK BECAUSE THE CHILD CLASSES HAVEN'T BEEN // DESERIALIZED YET You could use the IDeserializationCallback interface to find out when everything has been deserilized.
Sign In·View Thread·PermaLink	5.00/5 (1 vote)

Re: IDeserializationCallback

Rajasekar M

2:51 18 Apr '07

Hi,
There may be cases where a particular memeber of a class can be protected from Serialization using NonSerializable attribute.While Deserialzing this particular class ,all the members should be initialised appropriately.So if IDeserializationCallback interface is used to call ondeserialization method the members 'll be initialised.In a nut shell,Its just to enable your class to automatically initialise the non serialized member.

And the alternative?

Adael

6:54 10 Dec '05

In your article you only talk about XML serialization. What's happen with Binary serialization?...

Also you exposed that if you uses xml serialization you'll regret it, but... where's the alternative?

You can say "If you use IExplore you'll regret it, use Firefox instead, because firefox it's free and opensource. Also you don't know what IE do while you're surfing the web."

But if you only say "don't use IExplore." the others can't make his own opinion.

Bad article i think. But thanks for trying to help community, perhaps the next articles will be better.

PD: Sorry my bad english.

5.00/5 (2 votes)

i disagree - vehemently

Peter Fearn

4:45 5 Sep '05

1. That's fine - only use xml serialisation for classes that are designed in that way - or only design classes in that way when they need xml serialisation

2 - 4. fair enough, but doesn't apply to xml serialisation as you can always, always parse a correctly formed xml document

5. it's not secure, but if files on your disks are potential security risks, then you're screwed anyway.

6. sometimes you want a verbose output (e.g. XML), that's when you'd use it.

7. can't argue with that - but then so is most of .net

8. again, can't argue with that, but sensible system designers will take this into account if they are serialising 100,000 objects

9. now he's just being daft - "it is weird"... that's like saying we don't like foreigners, cause they're foreign. Or more pertinantly, the String object is weird because it doesn't sort numbers correctly. If you understand the behaviour, don't try and use it the way it's not supposed to be used (i.e. don't access deserialised objects in the classes constructor)

but yes, he does have a point, we shouldn't blindly use the built in serialisation in all scenarios

and suspiciously he's hawking his company's product here too - that tells you exactly what you're code is doing.... is he recommending that you check what the .net framework is doing all the time - you'd never get anything done!

2.33/5 (3 votes)

Re: i disagree - vehemently

Mr Crab

5:03 5 Sep '05

It is my gut feel that serialisation is the way forward in web application design and development. I encourage as much hard coding as possible. I also urge you to use a sand box and remember always charge for comms and go-live. Rob
Sign In·View Thread·PermaLink

Last Visit: Saturday, July 19, 2008 10:11 PM Last Update:Saturday, July 19, 2008 10:11 PM

12 3 4 5 Next »

General News Question Answer Joke Rant Admin