[Python-ideas] Custom string prefixes

Steven D'Aprano steve at pearwood.info
Thu May 30 02:37:12 CEST 2013 

On 30/05/13 05:23, Devin Jeanpierre wrote:
> On Mon, May 27, 2013 at 6:41 AM, Göktuğ Kayaalp
> <goktug.kayaalp at gmail.com> wrote:
>> I think it would add some significant flexibility to Python to let users
>> define custom string prefixes. What I mean by a string prefix is,
>> a letter prefixing the string literal, modifying the behavior of it,
> --snip--
>
> Rather than Decimal, IMO a more compelling use case is SQL queries. At
> the moment, string literals make unsafe string formatting an
> attractive nuisance:
>
>      cur.execute("..." % (...))
>
> versus
>
>      cur.execute("...", (...))
>
> Something that custom string prefixes do, that cannot be done in
> Python, is make this confusion impossible. You could make the only way
> to create passable SQL expressions via the string sql:"...", which
> produces an SQL object. At no point in time does the programmer deal
> with strings that can be manipulated in unsafe ways to result in SQL
> injection vulnerabilities.

I think that's wrong. *This* proposal, for custom user-land prefixes, will not help in this case. Your suggestion will only work if Python has a new built-in type, the "SQL Query", which does not support *any* form of string input, *and* the cur.execute method is changed to no longer accept strings (backwards compatibility be damned).

The loss of backwards compatibility makes this a Python 4000 idea.

But putting that aside, it has to be a built-in type only accessible as a literal, because if it is a function that takes a string argument, say, sql(), then you'll have exactly the same issue. Some people will write this:

cur.execute(sql("..." % (...)))

instead of one of these:

cur.execute(sql("..."), (...))
cur.execute(sql:"...", (...))


So that effectively rules out any user-land solution.

Given that Python is a language which allows the programmer to shoot themselves in the foot if they so choose, I'm not really so sure that even in Python 4000 we should be going to extraordinary efforts to prevent *this specific* toe from being shot off.



-- 
Steven

More information about the Python-ideas mailing list