(davepeck.org)

620 points tambourine_man | 2 comments | 21 Apr 25 04:31 UTC | HN request time: 0.447s | source

Show context

TekMol ◴[21 Apr 25 08:37 UTC] No.43749608[source]▶

Will this allow neat SQL syntax like the following?

    city = 'London'
    min_age = 21
    # Find all users in London who are 21 or older:
    users = db.get(t'
        SELECT * FROM users
        WHERE city={city} AND age>{min_age}
    ')

If the db.get() function accepts a template, it should, right?

This would be the nicest way to use SQL I have seen yet.

replies(8): >>43749674 #>>43749734 #>>43749906 #>>43749926 #>>43749979 #>>43750037 #>>43751845 #>>43756963 #

zelphirkalt ◴[21 Apr 25 13:32 UTC] No.43751845[source]▶

>>43749608 #

Isn't the actually proper way to use prepared statements anyway? If we are doing that properly, then what does this t string business buy us for SQL usage from Python?

replies(1): >>43753528 #

scott_w ◴[21 Apr 25 16:07 UTC] No.43753528[source]▶

>>43751845 #

Because, as the article states, people aren’t using prepared statements. Instead, they pass f-strings because they’re more convenient.

replies(2): >>43754166 #>>43755093 #

1. vultour ◴[21 Apr 25 18:44 UTC] No.43755093[source]▶

>>43753528 #

Except to maintain backwards compatibility we're probably going to get new methods that only accept templates, completely circumventing any effort to stop people passing in strings.

Prepared statements were the recommended way to run SQL queries when I was starting with PHP 15 years ago, anyone writing code vulnerable to SQL injection at this point should not be writing code.

replies(1): >>43755973 #

2. scott_w ◴[21 Apr 25 20:14 UTC] No.43755973[source]▶

>>43755093 (TP) #

Well yes but the alternative is to never make language improvements because legacy code exists.

↑

Python’s new t-strings