(davepeck.org)

620 points tambourine_man | 1 comments | 21 Apr 25 04:31 UTC | HN request time: 0.213s | source

Show context

TekMol ◴[21 Apr 25 08:37 UTC] No.43749608[source]▶

Will this allow neat SQL syntax like the following?

    city = 'London'
    min_age = 21
    # Find all users in London who are 21 or older:
    users = db.get(t'
        SELECT * FROM users
        WHERE city={city} AND age>{min_age}
    ')

If the db.get() function accepts a template, it should, right?

This would be the nicest way to use SQL I have seen yet.

replies(8): >>43749674 #>>43749734 #>>43749906 #>>43749926 #>>43749979 #>>43750037 #>>43751845 #>>43756963 #

jbaiter ◴[21 Apr 25 08:47 UTC] No.43749674[source]▶

>>43749608 #

Thanks, I hate it. While it's nice syntactic sugar, the difference between an SQL injection vulnerability and a properly parametrized query is now a single letter that's easily missed

replies(5): >>43749680 #>>43749683 #>>43749690 #>>43749804 #>>43750217 #

JimDabell ◴[21 Apr 25 09:07 UTC] No.43749804[source]▶

>>43749674 #

The t-string produces a Template object without a __str__() method. You can’t mistakenly use an f-string in its place. Either the code expects a string, in which case passing it a Template would blow it up, or the code expects a Template, in which case passing it a string would blow it up.

replies(5): >>43749994 #>>43750148 #>>43750347 #>>43751082 #>>43752420 #

yk ◴[21 Apr 25 10:40 UTC] No.43750347[source]▶

>>43749804 #

That's entirely implementation dependent. For existing libraries I would expect something like

    def get(self, query):
        if isinstance(query, template):
            self.get_template(query)
        else:
            self.get_old(query) #Don't break old code!

replies(2): >>43752016 #>>43753887 #

1. darthwalsh ◴[21 Apr 25 16:42 UTC] No.43753887[source]▶

>>43750347 #

And they could add deprecation warnings gradually

↑

Python’s new t-strings