Security risk with Binary Formatter

Using Binary Formatter is NOT recommended because it has potential security risks which you can read in the official Microsoft documentation:

I personally think this should be very clearly and explicitly stated within the video.

Thankfully I have seen that @Brian_Trotter has created a tutorial that expands upon this saving system that converts it into JSON which I will be following after completing the RPG course.

Link to his tutorial:

1 Like

I saw this topic and had already copied the address to my Json Saving system, and I see you’ve already cleverly linked it.

I’ve been waiting for official publication of this to work out kinks (what you see now is the 3rd revision of the system. I do think it’s ready, though, so likely this will be in the form of an addendum at the end of the Saving System sections.

For the purposes of prototyping, before you’re shipping the game out to others (that’s the point where we lose control of the save file), the BinaryFormatter is, while not ideal, not terribly dangerous. Once the game is published, and especially if you set up a system where the save file is served from the cloud, then the circle of trust is broken and BinaryFormatter isn’t safe. My Json system will not instantiate any classes when it’s decoded, that all must be done with RestoreState, we we have control over what we instantiate.

1 Like