Python’s new t-strings

(davepeck.org)

620 points tambourine_man | 1 comments | 21 Apr 25 04:31 UTC | HN request time: 0.223s | source

Show context

serbuvlad ◴[21 Apr 25 09:51 UTC] No.43750075[source]▶

All things considered, this is pretty cool. Basically, this replaces

    db.execute("QUERY WHERE name = ?", (name,))

with

    db.execute(t"QUERY WHERE name = {name}")

Does the benefit from this syntactic sugar outweigh the added complexity of a new language feature? I think it does in this case for two reasons:

1. Allowing library developers to do whatever they want with {} expansions is a good thing, and will probably spawn some good uses.

2. Generalizing template syntax across a language, so that all libraries solve this problem in the same way, is probably a good thing.

replies(12): >>43750226 #>>43750250 #>>43750260 #>>43750279 #>>43750513 #>>43750750 #>>43752117 #>>43752173 #>>43752293 #>>43754738 #>>43756560 #>>43763190 #

VWWHFSfQ ◴[21 Apr 25 14:18 UTC] No.43752293[source]▶

>>43750075 #

> Allowing library developers to do whatever they want with {} expansions is a good thing, and will probably spawn some good uses.

I completely disagree with this. Look what happened to Log4J when it was given similar freedoms.

replies(1): >>43756280 #

1. serbuvlad ◴[21 Apr 25 20:46 UTC] No.43756280[source]▶

>>43752293 #

I think this would have solved the log4j vulnerability, no?

As I understand it, log4j allowed malicious ${} expansion in any string passed to logging functions. So logging user generated code at all would be a security hole.

But Python's t-strings purposely _do not_ expand user code, they only expand the string literal.

↑