[Python-3000] features i'd like [Python 3000?] ... #4: interpolated strings ala perl
Jan Grant
jan.grant at bristol.ac.uk
Wed Dec 6 10:36:31 CET 2006
On Mon, 4 Dec 2006, Barry Warsaw wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Dec 4, 2006, at 5:08 AM, Ben Wing wrote:
>
> > i see in PEP 3101 that there's some work going on to fix up the string
> > formatting capabilities of python. it looks good to me but it still
> > doesn't really address the lack of a simple interpolated string
> > mechanism, as in perl or ruby.
I don't think there's such a thing.
> After several years of use, I'm strongly +1 for this feature in some
> form or another.
I think it's a terrible idea in almost every form.
> There should be little security concern about feature specifically,
> but you do need to be aware of an issue once you start hooking into
> catalogs.
The reason _why_ I think it's such a bad idea is the above statement
just doesn't gel with practical experience. Google will find plenty of
reading material if you search for "php sql injection" or "php
cross-site scripting". That is to say:
In many places where string interpolation is used, what you want is NOT
a simple interpolation. Perhaps the feature was OK in the dim distant
past of Perl, but back then Perl was aimed at being a tool for
sysadmins, and sysadmins often deal with plain text files (in the Unix
context).
When presented with this misfeature, however, novice programmers see it
as a great way to construct SQL queries, or perhaps produce html output
with variables interpolated. In both instances the convenience of the
expression leads to the dark path.
So unless there's a way to get strings to magically know their intended
use, and to find a type- and use-safe way of doing interpolation that
respects the quoting requirements of the eventual use (and I don't think
that level of type inference is going to happen in Py3k), I think this
is, on a practical level, inviting disaster.
You mention the need to quote variables that are interpolated. You're
clearly a careful and thoughtful programmer. Python is a great language
for novices too, and they may not have even been exposed to the concept
of an injection attack. Don't turn Python into the next PHP.
Cheers,
jan
--
jan grant, ISYS, University of Bristol. http://www.bris.ac.uk/
Tel +44 (0)117 3317661 http://ioctl.org/jan/
Whose kung-fu is the best?
More information about the Python-3000
mailing list