[Python-3000] features i'd like [Python 3000?] ... #4: interpolated strings ala perl

Barry Warsaw barry at python.org
Wed Dec 6 13:58:03 CET 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Dec 6, 2006, at 4:36 AM, Jan Grant wrote:

> On Mon, 4 Dec 2006, Barry Warsaw wrote:
>
>> After several years of use, I'm strongly +1 for this feature in some
>> form or another.
>
> I think it's a terrible idea in almost every form.
>
>> There should be little security concern about feature specifically,
>> but you do need to be aware of an issue once you start hooking into
>> catalogs.
>
> The reason _why_ I think it's such a bad idea is the above statement
> just doesn't gel with practical experience. Google will find plenty of
> reading material if you search for "php sql injection" or "php
> cross-site scripting". That is to say:
>
> In many places where string interpolation is used, what you want is  
> NOT
> a simple interpolation. Perhaps the feature was OK in the dim distant
> past of Perl, but back then Perl was aimed at being a tool for
> sysadmins, and sysadmins often deal with plain text files (in the Unix
> context).

Just like every other tool, you have to know how to use it  
correctly.  Should we outlaw string concatenation because if you use  
it to generate SQL queries, you're opening yourself up to SQL  
injection attacks?

The security of string interpolation in the context of translatable  
text is really not an issue with interpolation, but with trusting  
your translators.  For example, a translator could just as easily do  
some damage by translating "Are you sure you want to delete this  
list?" into "Do you like Kung Pao Chicken?".

> So unless there's a way to get strings to magically know their  
> intended
> use, and to find a type- and use-safe way of doing interpolation that
> respects the quoting requirements of the eventual use (and I don't  
> think
> that level of type inference is going to happen in Py3k), I think this
> is, on a practical level, inviting disaster.

Sadly, such is the state of modern programming.  The only way out is  
to provide the right tool for the job and educate programmers in how  
to use them.  The answer isn't to eradicate features that can be  
misused, unless you want to quit this line of work and become a Kung  
Pao Chicken farmer.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBRXa+YHEjvBPtnXfVAQLcHwP9EaF/fpxv9Eg2CHprlvbNVHzESz9dbDJN
DfAs9dtbku4ybmMgVVK8IC11bbdAHyJXhblx8BRWUahBAvgQndz1rRwCcAOhUb/t
RMC47FxdK9QREnCr49/0sqZdnIHBSoQQa4annnouHPySvYvR+1fYMAPxqV2NRavr
RF0FZAmU7ZY=
=/EGx
-----END PGP SIGNATURE-----

More information about the Python-3000 mailing list