On 08/06/2015 05:18 AM, Steven D'Aprano wrote:
With the new syntax, Python's example will be:
os.system(f"rm {file}")
or even
os.system("rm \{file}")
if Eric's second proposal goes ahead. Similarly for SQL injection and other command injection attacks.
It is true that the same issues can occur today, for example:
os.system("rm %s" % file)
but it's easier to see the possibility of an injection with an explicit interpolation operator than the proposed implicit one.
Is it? Why? To me, the problem of injection is completely orthogonal to how exactly the string interpolation is performed. Also, there's nothing "implicit" about the new syntax. It does not magically interpolate where it feels like, or coerce objects to strings. It interpolates wherever you - explicitly - put the new syntax. cheers, Georg