[Python-ideas] extensible template strings
MRAB
python at mrabarnett.plus.com
Thu Aug 20 03:30:45 CEST 2015
On 2015-08-20 01:47, Nathaniel Smith wrote:
> On Aug 19, 2015 17:29, "Steven D'Aprano" <steve at pearwood.info
> <mailto:steve at pearwood.info>> wrote:
> >
> > On Wed, Aug 19, 2015 at 08:15:05PM -0400, Eric V. Smith wrote:
> > > I agree that if it were just about hiding a function call, it
> > > wouldn't be interesting at all.
> > >
> > > But just as:
> > > f'My name is {name}'
> > >
> > > is arguably an improvement over:
> > > 'My name is {0}'.format(name)
> > >
> > > So too would:
> > > sql'select {columns} from {table}'
> > >
> > > be easier to read than:
> > > sql.run('select {} from {}', columns, table)
> >
> [...]
> > It looks to me that the sql'...' version above is trivially
> > vunerable to code injection attacks.
>
> The proposal is more subtle than that: the sql'...' version would
> expand to something like the sql.run(...) version, i.e. python would
> be responsible for pulling out the embedded code from the string and
> evaluating it, and then the sql object would be responsible for
> safely sticking the values back into the string in an sql-appropriate
> way or otherwise handling them.
>
I would've thought that it would be 'expanded' at compile-time like a
macro.
There would be a registered macro for the "sql" tag. It would be given
the string literal and would return the AST.
More information about the Python-ideas
mailing list