[Python-ideas] extensible template strings
Wes Turner
wes.turner at gmail.com
Thu Aug 20 03:00:56 CEST 2015
On Aug 19, 2015 7:50 PM, "Eric V. Smith" <eric at trueblade.com> wrote:
>
> On 8/19/2015 8:28 PM, Steven D'Aprano wrote:
> > On Wed, Aug 19, 2015 at 08:15:05PM -0400, Eric V. Smith wrote:
> >> On 8/19/2015 7:43 PM, Guido van Rossum wrote:
> >>> How important is it really to *hide* the fact that this involves a
> >>> function call?
> >>
> >> The only reason PEPs 498 and 501, and by extension Yuri's proposal,
have
> >> any difference over a function call is the ability to evaluate the
> >> embedded expressions in the local context, before the function is
> >> called.
> >
> > Isn't that exactly what a normal function call does?
> >
> > func(expr)
> >
> > evaluates expr in the local context before the function is called.
>
> Yes. But you couldn't write:
>
> sql('select {columns} from {table}')
>
> And have it get columns and table from where the sql function were
> called. See the discussions preceding PEP 498.
>
> > Yuri linked to the Javascript reference for this feature, which
> > explicitly warns that "template strings" are a security risk:
> >
> >
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/template_strings
> >
> > It looks to me that the sql'...' version above is trivially vunerable to
> > code injection attacks.
>
> The sql function could do all of the correct escaping. What's generally
> to be avoided is building the strings without escaping.
* quoting
* (per-dialect) reserved keywords
* http://docs.sqlalchemy.org/en/rel_1_0/dialects/
>
> And there's no particular reason that the sql function would even return
> a string: it might return an object that generated and stored the string
> "select ? from ?" and stored the values for columns and names (dbapi
> qmark style).
(All of these work--around fragile text-based query languages):
* RDF Interfaces
* Accumulo Iterators
* pandas (hdfs, SQLAlchemy)
* blaze
* Ibis Python -> LLVM
>
> I'm still -0, I'm just trying to explain how this is not like a normal
> function call, at least as I understand Yuri's proposal.
>
> Eric.
>
>
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150819/27d26bec/attachment-0001.html>
More information about the Python-ideas
mailing list