Python’s new t-strings

(davepeck.org)

620 points tambourine_man | 1 comments | 21 Apr 25 04:31 UTC | HN request time: 0.823s | source

Show context

7734128 ◴[21 Apr 25 08:24 UTC] No.43749531[source]▶

Sure, this avoids issues with SQL injections. However, I have a hard time imagining any developer who would both make such fundamental errors with f-strings currently and also switching to this option when it ships.

Seems like a self selection which renders this meaningless, to some extent :/

replies(2): >>43749587 #>>43756893 #

masklinn ◴[21 Apr 25 08:34 UTC] No.43749587[source]▶

>>43749531 #

> However, I have a hard time imagining any developer who would both make such fundamental errors with f-strings currently and also switching to this option when it ships.

t-strings are a different type (both static and dynamic), f-strings are not. So t-strings can be mandated at the API level, forcing the developer into "proper" usage.

That is, you need third-party tools to differentiate between

    some_call("safe literal string")

and

    some_call(f"unsafe dynamically created string")

That is not the case when it comes to t-strings, `some_call` can typecheck internally that it got a t-string, and reject regular strings entirely.

Although some space probably needs to be made for composing t-strings together in case of e.g. runtime variation in items or their count. Facetting for instance. I don't know if that's a native affordance of t-strings.

replies(1): >>43749616 #

Timwi ◴[21 Apr 25 08:38 UTC] No.43749616[source]▶

>>43749587 #

But that would require any SQL library you're currently using to make the breaking change of no longer allowing strings.

replies(4): >>43749700 #>>43751258 #>>43752396 #>>43756899 #

1. sanderjd ◴[21 Apr 25 21:49 UTC] No.43756899[source]▶

>>43749616 #

Yes. That's exactly what will happen, over time.

↑