←back to thread

Python’s new t-strings

(davepeck.org)
620 points tambourine_man | 8 comments | 21 Apr 25 04:31 UTC | HN request time: 0.226s | source | bottom
1. 7734128 ◴[21 Apr 25 08:24 UTC] No.43749531[source]
Sure, this avoids issues with SQL injections. However, I have a hard time imagining any developer who would both make such fundamental errors with f-strings currently and also switching to this option when it ships.

Seems like a self selection which renders this meaningless, to some extent :/

replies(2): >>43749587 #>>43756893 #
2. masklinn ◴[21 Apr 25 08:34 UTC] No.43749587[source]
> However, I have a hard time imagining any developer who would both make such fundamental errors with f-strings currently and also switching to this option when it ships.

t-strings are a different type (both static and dynamic), f-strings are not. So t-strings can be mandated at the API level, forcing the developer into "proper" usage.

That is, you need third-party tools to differentiate between

    some_call("safe literal string")
and

    some_call(f"unsafe dynamically created string")
That is not the case when it comes to t-strings, `some_call` can typecheck internally that it got a t-string, and reject regular strings entirely.

Although some space probably needs to be made for composing t-strings together in case of e.g. runtime variation in items or their count. Facetting for instance. I don't know if that's a native affordance of t-strings.

replies(1): >>43749616 #
3. Timwi ◴[21 Apr 25 08:38 UTC] No.43749616[source]
But that would require any SQL library you're currently using to make the breaking change of no longer allowing strings.
replies(4): >>43749700 #>>43751258 #>>43752396 #>>43756899 #
4. baggiponte ◴[21 Apr 25 08:51 UTC] No.43749700{3}[source]
sqlalchemy doesn’t really accepts strings - if you do, you need to pass them into a “conn.execute(text(…))”, so end users should not face a breaking change.
5. nhumrich ◴[21 Apr 25 12:34 UTC] No.43751258{3}[source]
Yep. Probably worth it. You could also do this with a monkeypatch method to "opt in" to this change.
6. masklinn ◴[21 Apr 25 14:26 UTC] No.43752396{3}[source]
Yes?
7. sanderjd ◴[21 Apr 25 21:48 UTC] No.43756893[source]
Eventually, you won't be able to pass a string into the commonly-used DB libraries.
8. sanderjd ◴[21 Apr 25 21:49 UTC] No.43756899{3}[source]
Yes. That's exactly what will happen, over time.