[Python-3000] features i'd like [Python 3000?] ... #4: interpolated strings ala perl

Jan Grant jan.grant at bristol.ac.uk
Wed Dec 6 10:36:31 CET 2006

On Mon, 4 Dec 2006, Barry Warsaw wrote:

> Hash: SHA1
> On Dec 4, 2006, at 5:08 AM, Ben Wing wrote:
> > i see in PEP 3101 that there's some work going on to fix up the string
> > formatting capabilities of python.  it looks good to me but it still
> > doesn't really address the lack of a simple interpolated string
> > mechanism, as in perl or ruby.

I don't think there's such a thing.

> After several years of use, I'm strongly +1 for this feature in some  
> form or another.

I think it's a terrible idea in almost every form.

> There should be little security concern about feature specifically,  
> but you do need to be aware of an issue once you start hooking into  
> catalogs.

The reason _why_ I think it's such a bad idea is the above statement 
just doesn't gel with practical experience. Google will find plenty of 
reading material if you search for "php sql injection" or "php 
cross-site scripting". That is to say:

In many places where string interpolation is used, what you want is NOT 
a simple interpolation. Perhaps the feature was OK in the dim distant 
past of Perl, but back then Perl was aimed at being a tool for 
sysadmins, and sysadmins often deal with plain text files (in the Unix 

When presented with this misfeature, however, novice programmers see it 
as a great way to construct SQL queries, or perhaps produce html output 
with variables interpolated. In both instances the convenience of the 
expression leads to the dark path.

So unless there's a way to get strings to magically know their intended 
use, and to find a type- and use-safe way of doing interpolation that 
respects the quoting requirements of the eventual use (and I don't think 
that level of type inference is going to happen in Py3k), I think this 
is, on a practical level, inviting disaster.

You mention the need to quote variables that are interpolated. You're 
clearly a careful and thoughtful programmer. Python is a great language 
for novices too, and they may not have even been exposed to the concept 
of an injection attack. Don't turn Python into the next PHP.


jan grant, ISYS, University of Bristol. http://www.bris.ac.uk/
Tel +44 (0)117 3317661   http://ioctl.org/jan/
Whose kung-fu is the best?

More information about the Python-3000 mailing list