(davepeck.org)

620 points tambourine_man | 1 comments | 21 Apr 25 04:31 UTC | HN request time: 0s | source

Show context

TekMol ◴[21 Apr 25 08:37 UTC] No.43749608[source]▶

Will this allow neat SQL syntax like the following?

    city = 'London'
    min_age = 21
    # Find all users in London who are 21 or older:
    users = db.get(t'
        SELECT * FROM users
        WHERE city={city} AND age>{min_age}
    ')

If the db.get() function accepts a template, it should, right?

This would be the nicest way to use SQL I have seen yet.

replies(8): >>43749674 #>>43749734 #>>43749906 #>>43749926 #>>43749979 #>>43750037 #>>43751845 #>>43756963 #

jbaiter ◴[21 Apr 25 08:47 UTC] No.43749674[source]▶

>>43749608 #

Thanks, I hate it. While it's nice syntactic sugar, the difference between an SQL injection vulnerability and a properly parametrized query is now a single letter that's easily missed

replies(5): >>43749680 #>>43749683 #>>43749690 #>>43749804 #>>43750217 #

TekMol ◴[21 Apr 25 08:49 UTC] No.43749683[source]▶

>>43749674 #

I guess that is a misunderstanding on your side, about how templates work. Less hate and more love might help to avoid this type of hotheaded misconception ;-)

Why do you think changing a letter would cause a vulnerability? Which letter do you mean?

replies(2): >>43749724 #>>43749727 #

hyperbovine ◴[21 Apr 25 08:54 UTC] No.43749724[source]▶

>>43749683 #

OP is referring to swapping t with f.

replies(1): >>43749735 #

TekMol ◴[21 Apr 25 08:56 UTC] No.43749735[source]▶

>>43749724 #

That would result in a string passed to get() and raise an error as get() operates on a template, not on a string.

replies(1): >>43749873 #

baegi ◴[21 Apr 25 09:19 UTC] No.43749873[source]▶

>>43749735 #

except if get() can also accept a raw string, which is likely

replies(2): >>43749901 #>>43749967 #

1. orphea ◴[21 Apr 25 09:25 UTC] No.43749901{3}[source]▶

>>43749873 #

Why would it?

↑

Python’s new t-strings