[Python-3000] features i'd like [Python 3000?] ... #4: interpolated strings ala perl

Ka-Ping Yee python at zesty.ca
Wed Dec 6 11:02:11 CET 2006 

On Wed, 6 Dec 2006, Jan Grant wrote:
[regarding string interpolation]
> I think it's a terrible idea in almost every form.
[...]
> The reason _why_ I think it's such a bad idea is the above statement
> just doesn't gel with practical experience. Google will find plenty of
> reading material if you search for "php sql injection" or "php
> cross-site scripting". That is to say:
>
> In many places where string interpolation is used, what you want is NOT
> a simple interpolation.

If i understand you correctly, your argument is:

    Many people use simple string interpolation when they should
    be using an application-specific quoting mechanism.

    Therefore string interpolation should be inconvenient.

I don't agree that the second statement follows from the first.
You are trying to make a "path of least resistance" argument,
but the more logical argument would be:

    Many people use simple string interpolation when they should
    be using an application-specific quoting mechanism.

    Therefore application-specific quoting mechanisms should
    be more convenient to create and use.

I see this, therefore, as a design constraint upon the design of
a good string interpolation mechanism.

In Perl and PHP, the standard interpolation mechanism supports
*only* simple string interpolation.  Using a more appropriate
quoting mechanism is significantly more inconvenient to the script
programmer; hence it is not so often used.

But here, in Python, we have an opportunity that these other
languages do not -- the opportunity to design a new string
interpolation mechanism that is more convenient than what we have now.
If this mechanism makes application-specific quoting just as, or
nearly as, easy as simple interpolation -- that is, lowering the
usage barrier to the safe path -- then security considerations
would actually point in *favour* of the new mechanism.

Where does this design constraint take us?

One possibility it suggests is that the interpolation function could
be generic, allowing the formatting template to be of a custom type
that supports application-specific quoting.  If we go this route,
that would argue in favour of solutions like a method on the
template object or an infix operator, and would reject solutions
like a built-in interpolated string type.

Another possibility is that the interpolation function, if a built-in,
could be overridable.


-- ?!ng

More information about the Python-3000 mailing list