Most active commenters
  • TekMol(3)
  • mcintyre1994(3)

←back to thread

Python’s new t-strings

(davepeck.org)
620 points tambourine_man | 15 comments | 21 Apr 25 04:31 UTC | HN request time: 2.055s | source | bottom
Show context
TekMol ◴[21 Apr 25 08:37 UTC] No.43749608[source]
Will this allow neat SQL syntax like the following?

    city = 'London'
    min_age = 21
    # Find all users in London who are 21 or older:
    users = db.get(t'
        SELECT * FROM users
        WHERE city={city} AND age>{min_age}
    ')
If the db.get() function accepts a template, it should, right?

This would be the nicest way to use SQL I have seen yet.

replies(8): >>43749674 #>>43749734 #>>43749906 #>>43749926 #>>43749979 #>>43750037 #>>43751845 #>>43756963 #
jbaiter ◴[21 Apr 25 08:47 UTC] No.43749674[source]
Thanks, I hate it. While it's nice syntactic sugar, the difference between an SQL injection vulnerability and a properly parametrized query is now a single letter that's easily missed
replies(5): >>43749680 #>>43749683 #>>43749690 #>>43749804 #>>43750217 #
1. TekMol ◴[21 Apr 25 08:49 UTC] No.43749683[source]
I guess that is a misunderstanding on your side, about how templates work. Less hate and more love might help to avoid this type of hotheaded misconception ;-)

Why do you think changing a letter would cause a vulnerability? Which letter do you mean?

replies(2): >>43749724 #>>43749727 #
2. hyperbovine ◴[21 Apr 25 08:54 UTC] No.43749724[source]
OP is referring to swapping t with f.
replies(1): >>43749735 #
3. codesnik ◴[21 Apr 25 08:55 UTC] No.43749727[source]
f'' vs t'' probably.
replies(2): >>43749818 #>>43749866 #
4. TekMol ◴[21 Apr 25 08:56 UTC] No.43749735[source]
That would result in a string passed to get() and raise an error as get() operates on a template, not on a string.
replies(1): >>43749873 #
5. tannhaeuser ◴[21 Apr 25 09:09 UTC] No.43749818[source]
Wow that's only slightly better than using the lowercase letter L vs the digit 1 or letter O vs zero to convey a significant difference.
6. melodyogonna ◴[21 Apr 25 09:18 UTC] No.43749866[source]
Those are two different types
7. baegi ◴[21 Apr 25 09:19 UTC] No.43749873{3}[source]
except if get() can also accept a raw string, which is likely
replies(2): >>43749901 #>>43749967 #
8. orphea ◴[21 Apr 25 09:25 UTC] No.43749901{4}[source]
Why would it?
9. mcintyre1994 ◴[21 Apr 25 09:34 UTC] No.43749967{4}[source]
No sane library is going to do that. If they do let you pass a raw string it should be a different function with the risks clearly documented.

The thing this replaces is every library having their own bespoke API to create a prepared statement on their default/safe path. Now they can just take a template.

replies(1): >>43752452 #
10. crazygringo ◴[21 Apr 25 14:32 UTC] No.43752452{5}[source]
How about every library that wants to preserve backwards compatibility?

Or are you suggesting that e.g. every database module needs to implement a new set of query functions with new names that supports templates? Which is probably the correct thing to do, but boy is it going to be ugly...

So now you'll have to remember never to use 'execute()' but always 'execute_t()' or something.

replies(3): >>43753071 #>>43753359 #>>43754461 #
11. WorldMaker ◴[21 Apr 25 15:30 UTC] No.43753071{6}[source]
You don't have to remember it, you can use deprecation warnings and lint tools to remind you. (Until eventually the safe API is the only API and then you really have nothing to remember.)
12. mcintyre1994 ◴[21 Apr 25 15:54 UTC] No.43753359{6}[source]
I’d assume their current safe function isn’t taking a string, and is taking some sort of prepared statement? So they could have it take either their prepared statement or a template, and deprecate their prepared statement.

If a library has functions taking a string and executing it as SQL they probably shouldn’t make that take a template instead, but I’d hope that’s a separate explicitly unsafe function already.

replies(1): >>43753466 #
13. crazygringo ◴[21 Apr 25 16:00 UTC] No.43753466{7}[source]
For sqlite3, it absolutely takes a regular string.

If you want to substitute parameters, you put a '?' in the string for each one, and provide an additional (optional) tuple parameter with the variables.

So no, there's no explicitly unsafe function. That's my point.

replies(1): >>43753534 #
14. mcintyre1994 ◴[21 Apr 25 16:07 UTC] No.43753534{8}[source]
Gotcha. I’d guess they’d want to deprecate that function and create a new one that only accepts a template then, which is definitely annoying! I figured they’d already have more separation between prepared and raw strings which would make it easier.
15. ◴[21 Apr 25 17:40 UTC] No.43754461{6}[source]