[Python-ideas] Custom string prefixes
Devin Jeanpierre
jeanpierreda at gmail.com
Wed May 29 21:23:56 CEST 2013
On Mon, May 27, 2013 at 6:41 AM, Göktuğ Kayaalp
<goktug.kayaalp at gmail.com> wrote:
> I think it would add some significant flexibility to Python to let users
> define custom string prefixes. What I mean by a string prefix is,
> a letter prefixing the string literal, modifying the behavior of it,
--snip--
Rather than Decimal, IMO a more compelling use case is SQL queries. At
the moment, string literals make unsafe string formatting an
attractive nuisance:
cur.execute("..." % (...))
versus
cur.execute("...", (...))
Something that custom string prefixes do, that cannot be done in
Python, is make this confusion impossible. You could make the only way
to create passable SQL expressions via the string sql:"...", which
produces an SQL object. At no point in time does the programmer deal
with strings that can be manipulated in unsafe ways to result in SQL
injection vulnerabilities.
Of course, then there is the issue of "what if you want to produce an
SQL expression from a string"? Then you can make that difficult,
rather than attractive, perhaps requiring the following code:
with sql.unsafe.disable_all_security_protections:
expr = sql.unsafe.compile_string(my_string)
cur.execute(expr, (...))
As it stands today, it's very common for people to produce insecure
code completely by accident. I see it on a regular basis in #python.
There is no way to resolve this without something similar to E's
quasiliterals, or these prefixed strings.
-- Devin
More information about the Python-ideas
mailing list