Most active commenters

    ←back to thread

    Python’s new t-strings

    (davepeck.org)
    620 points tambourine_man | 13 comments | 21 Apr 25 04:31 UTC | HN request time: 0.821s | source | bottom
    Show context
    serbuvlad ◴[21 Apr 25 09:51 UTC] No.43750075[source]
    All things considered, this is pretty cool. Basically, this replaces

        db.execute("QUERY WHERE name = ?", (name,))
    with

        db.execute(t"QUERY WHERE name = {name}")
    Does the benefit from this syntactic sugar outweigh the added complexity of a new language feature? I think it does in this case for two reasons:

    1. Allowing library developers to do whatever they want with {} expansions is a good thing, and will probably spawn some good uses.

    2. Generalizing template syntax across a language, so that all libraries solve this problem in the same way, is probably a good thing.

    replies(12): >>43750226 #>>43750250 #>>43750260 #>>43750279 #>>43750513 #>>43750750 #>>43752117 #>>43752173 #>>43752293 #>>43754738 #>>43756560 #>>43763190 #
    1. pinoy420 ◴[21 Apr 25 10:17 UTC] No.43750226[source]
    Now instead of being explicit all it takes is someone unfamiliar with t strings (which will be almost everyone - still few know about f strings and their formatting capabilities) to use an f instead and you are in for a bad time.
    replies(5): >>43750270 #>>43750280 #>>43750323 #>>43751292 #>>43753934 #
    2. falcor84 ◴[21 Apr 25 10:27 UTC] No.43750270[source]
    That is an issue, but essentially it boils down to the existing risk of unknowledgeable people not escaping untrusted inputs. The solution should be more education and better tooling (linters, SAST), and t-strings are likely to help with both.
    replies(1): >>43750308 #
    3. ◴[21 Apr 25 10:30 UTC] No.43750280[source]
    4. masklinn ◴[21 Apr 25 10:34 UTC] No.43750308[source]
    t-strings allow building APIs which don't accept strings at all (or require some sort of opt-in), and will always error on such. That's the boon.

    Having to write

        cr.execute(t"...")
    even when there's nothing to format in is not a big imposition.
    5. mcintyre1994 ◴[21 Apr 25 10:36 UTC] No.43750323[source]
    Any sane library will just error when you pass a string to a function that expects a template though. And that library will have types too so your IDE tells you before you get that far.
    replies(2): >>43752466 #>>43753438 #
    6. sanderjd ◴[21 Apr 25 12:37 UTC] No.43751292[source]
    No, because they don't return a string, so good library authors will raise a type error when that happens, for exactly this reason.
    7. Dx5IQ ◴[21 Apr 25 14:33 UTC] No.43752466[source]
    Such library functions tend to also accept a string as a valid input. E.g. db.execute from the GP usually works with strings to allow non-parametrized SQL queries.
    replies(2): >>43752850 #>>43769225 #
    8. kccqzy ◴[21 Apr 25 15:12 UTC] No.43752850{3}[source]
    The library should just refuse strings. If a non parametrized query is desired, it could require the user to supply a t-string with no {}.
    9. _Algernon_ ◴[21 Apr 25 15:59 UTC] No.43753438[source]
    This would break backwardcompatibility pretty hard. In many cases it may not be worth it.
    replies(2): >>43753990 #>>43754551 #
    10. hackrmn ◴[21 Apr 25 16:47 UTC] No.43753934[source]
    I suppose lack of overlap in the "interface surface" (attributes, including callables) between `str` and `Template` should nip the kind of issue in the bud -- being passed a `Template` and needing to actually "instantiate" it -- accessing `strings` and `values` attributes on the passed object, will likely fail at runtime when attempted on a string someone passed instead (e.g. confusing a `t`-string with an `f`-string)?
    11. eichin ◴[21 Apr 25 16:54 UTC] No.43753990{3}[source]
    But now at least the language has the necessary rope (and an opportunity for a cultural push to insist on it.)
    12. hombre_fatal ◴[21 Apr 25 17:51 UTC] No.43754551{3}[source]
    Javascript already has prior art here.

    A library can extend an existing database library like 'pg' so that PgClient#query() and PgPool#query() require string template statements.

    That way 'pg' can continue working with strings, and people who want nice templated strings can use the small extension library, and the small extension library makes it impossible to accidentally pass strings into the query functions.

    13. dragonwriter ◴[23 Apr 25 06:29 UTC] No.43769225{3}[source]
    > Such library functions tend to also accept a string as a valid input.

    Also? They tend only to accept a string (possibly with some additional arguments, if there is an in-library way to handle parameterization) as input, because Template literally hasn't been an option. New APIs designed with Template available will look different.