Python’s new t-strings

(davepeck.org)

620 points tambourine_man | 1 comments | 21 Apr 25 04:31 UTC | HN request time: 0.491s | source

Show context

serbuvlad ◴[21 Apr 25 09:51 UTC] No.43750075[source]▶

All things considered, this is pretty cool. Basically, this replaces

    db.execute("QUERY WHERE name = ?", (name,))

with

    db.execute(t"QUERY WHERE name = {name}")

Does the benefit from this syntactic sugar outweigh the added complexity of a new language feature? I think it does in this case for two reasons:

1. Allowing library developers to do whatever they want with {} expansions is a good thing, and will probably spawn some good uses.

2. Generalizing template syntax across a language, so that all libraries solve this problem in the same way, is probably a good thing.

replies(12): >>43750226 #>>43750250 #>>43750260 #>>43750279 #>>43750513 #>>43750750 #>>43752117 #>>43752173 #>>43752293 #>>43754738 #>>43756560 #>>43763190 #

NewEntryHN ◴[21 Apr 25 10:25 UTC] No.43750260[source]▶

>>43750075 #

Assuming you also need to format non-values in the SQL (e.g. column names), how does the `execute` function is supposed to make the difference between stuff that should be formatted in the string vs a parametrized value?

replies(1): >>43750285 #

masklinn ◴[21 Apr 25 10:30 UTC] No.43750285[source]▶

>>43750260 #

Same as currently: the library provides some sort of `Identifier` wrapper you can apply to those.

replies(1): >>43750354 #

NewEntryHN ◴[21 Apr 25 10:42 UTC] No.43750354[source]▶

>>43750285 #

Fair enough. It would be nice if Python allowed to customize the formatting options after `:`

This way you could encode such identifier directly in the t-string variable rather than with some "out-of-band" logic.

replies(2): >>43750418 #>>43751198 #

masklinn ◴[21 Apr 25 12:28 UTC] No.43751198[source]▶

>>43750354 #

> Fair enough. It would be nice if Python allowed to customize the formatting options after `:`

It does, the `Interpolation` object contains an arbitrary `format_spec` string: https://peps.python.org/pep-0750/#the-interpolation-type

However I think using the format spec that way would be dubious and risky, because it makes the sink responsible for whitelisting values, and that means any processing between the source and sink becomes a major risk. It's the same issue as HTML templates providing `raw` output, now you have to know to audit any modification to the upstream values which end there, which is a lot harder to do than when "raw markup" values are reified.

> rather than with some "out-of-band" logic.

It's the opposite, moving it to the format spec is out of band because it's not attached to values, it just says "whatever value is here is safe", which is generally not true.

Unless you use the format spec as a way to signal that a term should use identifier escaping rules rather than value escaping rules (something only the sink knows), and an `Identifier` wrapper remains a way to bypass that.

replies(1): >>43752672 #

1. pphysch ◴[21 Apr 25 14:53 UTC] No.43752672[source]▶

>>43751198 #

> Unless you use the format spec as a way to signal that a term should use identifier escaping rules rather than value escaping rules (something only the sink knows)

This should be quiet common in the SQL applications. It will be nice to write t"select {name:id} from {table:id} where age={age}" and be confident that the SQL will be formatted correctly, with interpolations defaulting to (safe) literal values.

↑