[Python-3000] features i'd like [Python 3000?] ... #4: interpolated strings ala perl
barry at python.org
Wed Dec 6 13:58:03 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
On Dec 6, 2006, at 4:36 AM, Jan Grant wrote:
> On Mon, 4 Dec 2006, Barry Warsaw wrote:
>> After several years of use, I'm strongly +1 for this feature in some
>> form or another.
> I think it's a terrible idea in almost every form.
>> There should be little security concern about feature specifically,
>> but you do need to be aware of an issue once you start hooking into
> The reason _why_ I think it's such a bad idea is the above statement
> just doesn't gel with practical experience. Google will find plenty of
> reading material if you search for "php sql injection" or "php
> cross-site scripting". That is to say:
> In many places where string interpolation is used, what you want is
> a simple interpolation. Perhaps the feature was OK in the dim distant
> past of Perl, but back then Perl was aimed at being a tool for
> sysadmins, and sysadmins often deal with plain text files (in the Unix
Just like every other tool, you have to know how to use it
correctly. Should we outlaw string concatenation because if you use
it to generate SQL queries, you're opening yourself up to SQL
The security of string interpolation in the context of translatable
text is really not an issue with interpolation, but with trusting
your translators. For example, a translator could just as easily do
some damage by translating "Are you sure you want to delete this
list?" into "Do you like Kung Pao Chicken?".
> So unless there's a way to get strings to magically know their
> use, and to find a type- and use-safe way of doing interpolation that
> respects the quoting requirements of the eventual use (and I don't
> that level of type inference is going to happen in Py3k), I think this
> is, on a practical level, inviting disaster.
Sadly, such is the state of modern programming. The only way out is
to provide the right tool for the job and educate programmers in how
to use them. The answer isn't to eradicate features that can be
misused, unless you want to quit this line of work and become a Kung
Pao Chicken farmer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
-----END PGP SIGNATURE-----
More information about the Python-3000