[Python-ideas] extensible template strings
Nathaniel Smith
njs at pobox.com
Thu Aug 20 02:47:10 CEST 2015
On Aug 19, 2015 17:29, "Steven D'Aprano" <steve at pearwood.info> wrote:
>
> On Wed, Aug 19, 2015 at 08:15:05PM -0400, Eric V. Smith wrote:
> > I agree that if it were just about hiding a function call, it
> > wouldn't be interesting at all.
> >
> > But just as:
> > f'My name is {name}'
> >
> > is arguably an improvement over:
> > 'My name is {0}'.format(name)
> >
> > So too would:
> > sql'select {columns} from {table}'
> >
> > be easier to read than:
> > sql.run('select {} from {}', columns, table)
>
[...]
> It looks to me that the sql'...' version above is trivially vunerable to
> code injection attacks.
The proposal is more subtle than that: the sql'...' version would expand to
something like the sql.run(...) version, i.e. python would be responsible
for pulling out the embedded code from the string and evaluating it, and
then the sql object would be responsible for safely sticking the values
back into the string in an sql-appropriate way or otherwise handling them.
-n
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150819/9ca53db3/attachment.html>
More information about the Python-ideas
mailing list