Python’s new t-strings

(davepeck.org)

620 points tambourine_man | 1 comments | 21 Apr 25 04:31 UTC | HN request time: 0s | source

Show context

TekMol ◴[21 Apr 25 08:37 UTC] No.43749608[source]▶

Will this allow neat SQL syntax like the following?

    city = 'London'
    min_age = 21
    # Find all users in London who are 21 or older:
    users = db.get(t'
        SELECT * FROM users
        WHERE city={city} AND age>{min_age}
    ')

If the db.get() function accepts a template, it should, right?

This would be the nicest way to use SQL I have seen yet.

replies(8): >>43749674 #>>43749734 #>>43749906 #>>43749926 #>>43749979 #>>43750037 #>>43751845 #>>43756963 #

jbaiter ◴[21 Apr 25 08:47 UTC] No.43749674[source]▶

>>43749608 #

Thanks, I hate it. While it's nice syntactic sugar, the difference between an SQL injection vulnerability and a properly parametrized query is now a single letter that's easily missed

replies(5): >>43749680 #>>43749683 #>>43749690 #>>43749804 #>>43750217 #

TekMol ◴[21 Apr 25 08:49 UTC] No.43749683[source]▶

>>43749674 #

I guess that is a misunderstanding on your side, about how templates work. Less hate and more love might help to avoid this type of hotheaded misconception ;-)

Why do you think changing a letter would cause a vulnerability? Which letter do you mean?

replies(2): >>43749724 #>>43749727 #

hyperbovine ◴[21 Apr 25 08:54 UTC] No.43749724[source]▶

>>43749683 #

OP is referring to swapping t with f.

replies(1): >>43749735 #

TekMol ◴[21 Apr 25 08:56 UTC] No.43749735[source]▶

>>43749724 #

That would result in a string passed to get() and raise an error as get() operates on a template, not on a string.

replies(1): >>43749873 #

baegi ◴[21 Apr 25 09:19 UTC] No.43749873[source]▶

>>43749735 #

except if get() can also accept a raw string, which is likely

replies(2): >>43749901 #>>43749967 #

mcintyre1994 ◴[21 Apr 25 09:34 UTC] No.43749967[source]▶

>>43749873 #

No sane library is going to do that. If they do let you pass a raw string it should be a different function with the risks clearly documented.

The thing this replaces is every library having their own bespoke API to create a prepared statement on their default/safe path. Now they can just take a template.

replies(1): >>43752452 #

crazygringo ◴[21 Apr 25 14:32 UTC] No.43752452[source]▶

>>43749967 #

How about every library that wants to preserve backwards compatibility?

Or are you suggesting that e.g. every database module needs to implement a new set of query functions with new names that supports templates? Which is probably the correct thing to do, but boy is it going to be ugly...

So now you'll have to remember never to use 'execute()' but always 'execute_t()' or something.

replies(3): >>43753071 #>>43753359 #>>43754461 #

1. WorldMaker ◴[21 Apr 25 15:30 UTC] No.43753071[source]▶

>>43752452 #

You don't have to remember it, you can use deprecation warnings and lint tools to remind you. (Until eventually the safe API is the only API and then you really have nothing to remember.)

↑