[Python-3000] features i'd like [Python 3000?] ... #4: interpolated strings ala perl
jan.grant at bristol.ac.uk
Wed Dec 6 10:36:31 CET 2006
On Mon, 4 Dec 2006, Barry Warsaw wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Dec 4, 2006, at 5:08 AM, Ben Wing wrote:
> > i see in PEP 3101 that there's some work going on to fix up the string
> > formatting capabilities of python. it looks good to me but it still
> > doesn't really address the lack of a simple interpolated string
> > mechanism, as in perl or ruby.
I don't think there's such a thing.
> After several years of use, I'm strongly +1 for this feature in some
> form or another.
I think it's a terrible idea in almost every form.
> There should be little security concern about feature specifically,
> but you do need to be aware of an issue once you start hooking into
The reason _why_ I think it's such a bad idea is the above statement
just doesn't gel with practical experience. Google will find plenty of
reading material if you search for "php sql injection" or "php
cross-site scripting". That is to say:
In many places where string interpolation is used, what you want is NOT
a simple interpolation. Perhaps the feature was OK in the dim distant
past of Perl, but back then Perl was aimed at being a tool for
sysadmins, and sysadmins often deal with plain text files (in the Unix
When presented with this misfeature, however, novice programmers see it
as a great way to construct SQL queries, or perhaps produce html output
with variables interpolated. In both instances the convenience of the
expression leads to the dark path.
So unless there's a way to get strings to magically know their intended
use, and to find a type- and use-safe way of doing interpolation that
respects the quoting requirements of the eventual use (and I don't think
that level of type inference is going to happen in Py3k), I think this
is, on a practical level, inviting disaster.
You mention the need to quote variables that are interpolated. You're
clearly a careful and thoughtful programmer. Python is a great language
for novices too, and they may not have even been exposed to the concept
of an injection attack. Don't turn Python into the next PHP.
jan grant, ISYS, University of Bristol. http://www.bris.ac.uk/
Tel +44 (0)117 3317661 http://ioctl.org/jan/
Whose kung-fu is the best?
More information about the Python-3000