f-string: empty expression should be allowed
Hello, consider this snippet please cursor.execute(f"INSERT INTO {table} VALUES (1, '{}');") SyntaxError: f-string: empty expression not allowed It is (absolutely) correct to insert empty json into database table field. Empty expression in f-string should * (silently) expand as '{}' (opening and closing braces), * generate a (compile time) warning if requested, e.g. with -W. Thank you in advance Hans
On 10/22/2020 4:58 AM, Hans Ginzel wrote:
Hello,
consider this snippet please
cursor.execute(f"INSERT INTO {table} VALUES (1, '{}');") SyntaxError: f-string: empty expression not allowed
It is (absolutely) correct to insert empty json into database table field. Empty expression in f-string should * (silently) expand as '{}' (opening and closing braces), * generate a (compile time) warning if requested, e.g. with -W.
You can use f"INSERT INTO {table} VALUES (1, '{{}}');". The doubled braces become single braces inside an f-string. Eric
On Thu, Oct 22, 2020 at 10:58:00AM +0200, Hans Ginzel wrote:
Hello,
consider this snippet please
cursor.execute(f"INSERT INTO {table} VALUES (1, '{}');") SyntaxError: f-string: empty expression not allowed
Escape the braces by doubling them: f"INSERT INTO {table} VALUES (1, '{{}}');"
It is (absolutely) correct to insert empty json into database table field.
Sure, but the syntax error has nothing to do with the database. The syntax error occurs long before the SQL gets executed. The problem here is with the f-string, not the call to cursor.execute. We can simplify the example to this: f'{}' and avoid the distraction of JSON, SQL, databases, etc.
Empty expression in f-string should * (silently) expand as '{}' (opening and closing braces), * generate a (compile time) warning if requested, e.g. with -W.
We could do that, but this is more likely to just hide bugs in the f-string than be useful. -- Steve
On Thu, Oct 22, 2020 at 08:31:34PM +1100, Steven D'Aprano wrote:
cursor.execute(f"INSERT INTO {table} VALUES (1, '{}');") SyntaxError: f-string: empty expression not allowed
Escape the braces by doubling them: f"INSERT INTO {table} VALUES (1, '{{}}');"
Thank you for (ugly) workaorund.
The problem here is with the f-string, not the call to cursor.execute. We can simplify the example to this: f'{}' and avoid the distraction of JSON, SQL, databases, etc.
Technically we can, but the context give us a useful example. Strings like f"Use braces ({}) for {something}." are also a useful example.
Empty expression in f-string should * (silently) expand as '{}' (opening and closing braces), * generate a (compile time) warning if requested, e.g. with -W.
We could do that, but this is more likely to just hide bugs in the f-string than be useful.
Thank you, that would be great and useful. Users will be warned before potentially bug two times: 1) They will see the {} in output (which should be tested). 2) By the compiler when they ask for (-W), which is a better behaviour than forced carefulness. -- BR, H.
On Thu, 22 Oct 2020 at 11:39, Hans Ginzel <hans@matfyz.cz> wrote:
On Thu, Oct 22, 2020 at 08:31:34PM +1100, Steven D'Aprano wrote:
cursor.execute(f"INSERT INTO {table} VALUES (1, '{}');") SyntaxError: f-string: empty expression not allowed
Escape the braces by doubling them: f"INSERT INTO {table} VALUES (1, '{{}}');"
Thank you for (ugly) workaorund.
Given that using an f-string is not advised in this context (it's a vector for SQL injection attacks) I don't see this as a compelling example, and I think the workaround is perfectly fine - ugliness (if you choose to think of it as ugly) is arguably a benefit, because it forces you to think about whether you want to do this.
The problem here is with the f-string, not the call to cursor.execute. We can simplify the example to this: f'{}' and avoid the distraction of JSON, SQL, databases, etc.
Technically we can, but the context give us a useful example. Strings like f"Use braces ({}) for {something}." are also a useful example.
It does, and as I say above, it shows that having to double the brackets is fine (in my view).
Empty expression in f-string should * (silently) expand as '{}' (opening and closing braces), * generate a (compile time) warning if requested, e.g. with -W.
We could do that, but this is more likely to just hide bugs in the f-string than be useful.
Thank you, that would be great and useful. Users will be warned before potentially bug two times: 1) They will see the {} in output (which should be tested). 2) By the compiler when they ask for (-W), which is a better behaviour than forced carefulness.
"We could do that" doesn't mean we will. And I'm definitely -1 on it, for the reason Steven stated (it is more likely to hide bugs than to be useful). It's also an odd special case that users will have to understand ("to get a literal { or } character, double it, unless you want using precisely {}, when you don't have to double the characters but you can use {}. You can't use {{} or {}} though, these are right out") So no, I don't think this is a good idea, sorry. From the Zen, "Special cases aren't special enough to break the rules" is probably relevant here, and I don't think you have demonstrated that "Practicality beats purity" applies. Paul
On Thu, Oct 22, 2020 at 7:39 AM Hans Ginzel <hans@matfyz.cz> wrote:
On Thu, Oct 22, 2020 at 08:31:34PM +1100, Steven D'Aprano wrote:
cursor.execute(f"INSERT INTO {table} VALUES (1, '{}');") SyntaxError: f-string: empty expression not allowed
Escape the braces by doubling them: f"INSERT INTO {table} VALUES (1, '{{}}');"
Thank you for (ugly) workaorund.
It is no different than having to write \\ in a string to get a single backslash : it is part of the syntax of f-strings, and not a "workaround". André Roberge
-- BR, H. _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-leave@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/2B5KEM... Code of Conduct: http://python.org/psf/codeofconduct/
On Thu, 22 Oct 2020 at 12:36, Hans Ginzel <hans@matfyz.cz> wrote:
On Thu, Oct 22, 2020 at 08:31:34PM +1100, Steven D'Aprano wrote:
cursor.execute(f"INSERT INTO {table} VALUES (1, '{}');") SyntaxError: f-string: empty expression not allowed
Escape the braces by doubling them: f"INSERT INTO {table} VALUES (1, '{{}}');"
Thank you for (ugly) workaorund.
It's not ugly for me too, but if you want another workaround: d = {} f"INSERT INTO {table} VALUES (1, '{d}');"
On Thu, Oct 22, 2020 at 3:37 AM Hans Ginzel <hans@matfyz.cz> wrote:
Thank you for (ugly) workaorund.
Careful who you're calling ugly. -- --Guido van Rossum (python.org/~guido) *Pronouns: he/him **(why is my pronoun here?)* <http://feministing.com/2015/02/03/how-using-they-as-a-singular-pronoun-can-c...>
On Thu, Oct 22, 2020 at 09:09:07AM -0700, Guido van Rossum wrote:
On Thu, Oct 22, 2020 at 3:37 AM Hans Ginzel <hans@matfyz.cz> wrote:
Thank you for (ugly) workaorund.
Careful who you're calling ugly.
"Who"? Syntax is a person now? For what it's worth, I don't think escaping special symbols is ugly. More like homely. It does the job, plainly and simply, but I don't think it's especially good looking. Every other character stands for itself, with this handful of exceptional cases. -- Steve
On Thu, Oct 22, 2020, at 21:00, Steven D'Aprano wrote:
"Who"? Syntax is a person now?
For what it's worth, I don't think escaping special symbols is ugly. More like homely. It does the job, plainly and simply, but I don't think it's especially good looking. Every other character stands for itself, with this handful of exceptional cases.
I suspect that calling this particular syntax ugly is picking at a bit of an open wound in the history f-string implementation... consider precisely why the escaping syntax is {{}} instead of \{\}, and all the implications of that. (with the PEG parser, incidentally, I wonder if it may be time to revisit certain limitations in f-string syntax, though that particular one technically presents a backward compatibility problem that the rest don't)
On Fri, 23 Oct 2020 at 08:06, Random832 <random832@fastmail.com> wrote:
On Thu, Oct 22, 2020, at 21:00, Steven D'Aprano wrote: I suspect that calling this particular syntax ugly is picking at a bit of an open wound in the history f-string implementation... consider precisely why the escaping syntax is {{}} instead of \{\}, and all the implications of that.
It's the same syntax of format()....
On Thu, Oct 22, 2020 at 11:08 PM Random832 <random832@fastmail.com> wrote:
(with the PEG parser, incidentally, I wonder if it may be time to revisit certain limitations in f-string syntax, though that particular one technically presents a backward compatibility problem that the rest don't)
That's been worked on at the Core dev sprint that's currently winding down. But the quoting won't change. -- --Guido van Rossum (python.org/~guido) *Pronouns: he/him **(why is my pronoun here?)* <http://feministing.com/2015/02/03/how-using-they-as-a-singular-pronoun-can-c...>
On Thu, Oct 22, 2020 at 12:29:22PM +0200, Hans Ginzel wrote:
We could do that, but this is more likely to just hide bugs in the f-string than be useful.
Thank you, that would be great and useful.
Oh, sorry Hans, I think that you may have misunderstood me. In English, "We could do that, but..." usually means we won't do it because of the given reason. In this case, that is what I meant. We could do it, but we shouldn't. -- Steve
On Thu, Oct 22, 2020 at 8:12 PM Hans Ginzel <hans@matfyz.cz> wrote:
Hello,
consider this snippet please
cursor.execute(f"INSERT INTO {table} VALUES (1, '{}');") SyntaxError: f-string: empty expression not allowed
It is (absolutely) correct to insert empty json into database table field. Empty expression in f-string should * (silently) expand as '{}' (opening and closing braces), * generate a (compile time) warning if requested, e.g. with -W.
My recommendation here would be to separate the part where you insert a table name from the rest of the statement: cursor.execute(f"INSERT INTO {table} " "VALUES (1, '{}')") That way, you aren't at risk of SQL injection in the rest of the statement, and you have a very clear separation saying "hey this bit is doing something really unusual and using interpolation in SQL". ChrisA
On Thu, Oct 22, 2020 at 11:32:36PM +1100, Chris Angelico wrote:
My recommendation here would be to separate the part where you insert a table name from the rest of the statement: cursor.execute(f"INSERT INTO {table} " "VALUES (1, '{}')") That way, you aren't at risk of SQL injection in the rest of the statement, and you have a very clear separation saying "hey this bit is doing something really unusual and using interpolation in SQL".
Thank you, that is the best suggestion. -- H.
participants (9)
-
André Roberge
-
Chris Angelico
-
Eric V. Smith
-
Guido van Rossum
-
Hans Ginzel
-
Marco Sulla
-
Paul Moore
-
Random832
-
Steven D'Aprano