PEP 675 [1] introduces a supertype for precise literal string types, such as `Literal["foo"]`, called `LiteralString`. The PEP allows libraries to distinguish the type of command strings from data. Powerful, command-executing libraries try to prevent security vulnerabilities by accepting arguments separately from the SQL query or shell command. However, these libraries have no way to prevent programmers from, say, using f-strings to embed arguments within the command string, which can allow malicious users to execute arbitrary commands (called "SQL/shell injection"). With this PEP, libraries can rely on type checkers to prevent such common, undesired uses. Scala has a very similar concept that is used to prevent SQL injection at compile time. [5] We also discuss the drawbacks of alternative approaches, such as security linters, full taint analysis, and NewTypes [6]. Since we have reached consensus on the PEP in typing-sig [2], we wanted to get your comments and suggestions before submitting to the Steering Council. This PEP is mainly useful for type checking. There are no changes to Python syntax or runtime behavior. Discussions: + typing-sig: [2] + BPO issue suggesting using this PEP to prevent vulnerabilities in loggers: [4] + Reddit thread on r/Python discussing this PEP: [3] Thanks, S Pradeep Kumar Graham Bleaney [1]: https://www.python.org/dev/peps/pep-0675/ [2]: https://mail.python.org/archives/list/typing-sig@python.org/thread/VB74EHNM4... [3]: https://www.reddit.com/r/Python/comments/r71lzi/pep_675_arbitrary_literal_st... [4]: https://bugs.python.org/issue46200 [5]: https://www.python.org/dev/peps/pep-0675/#literal-string-types-in-scala [6]: https://www.python.org/dev/peps/pep-0675/#rejected-alternatives