[Python-ideas] Custom string prefixes

Göktuğ Kayaalp goktug.kayaalp at gmail.com
Thu May 30 03:48:40 CEST 2013 

> Something that custom string prefixes do, that cannot be done in
> Python, is make this confusion impossible. You could make the only way
> to create passable SQL expressions via the string sql:"...", which
> produces an SQL object. At no point in time does the programmer deal
> with strings that can be manipulated in unsafe ways to result in SQL
> injection vulnerabilities.

IMO, a better decision would be to use an ORM for this. Abstracting away
the SQL language with something like SQLAlchemy would result in code
written in a single language, which in turn would possibly decrease the
odds of making a mistake.

Greetings,

        Göktuğ.

Devin Jeanpierre <jeanpierreda at gmail.com> writes:

> On Mon, May 27, 2013 at 6:41 AM, Göktuğ Kayaalp
> <goktug.kayaalp at gmail.com> wrote:
>> I think it would add some significant flexibility to Python to let users
>> define custom string prefixes. What I mean by a string prefix is,
>> a letter prefixing the string literal, modifying the behavior of it,
> --snip--
>
> Rather than Decimal, IMO a more compelling use case is SQL queries. At
> the moment, string literals make unsafe string formatting an
> attractive nuisance:
>
>     cur.execute("..." % (...))
>
> versus
>
>     cur.execute("...", (...))
>
> Something that custom string prefixes do, that cannot be done in
> Python, is make this confusion impossible. You could make the only way
> to create passable SQL expressions via the string sql:"...", which
> produces an SQL object. At no point in time does the programmer deal
> with strings that can be manipulated in unsafe ways to result in SQL
> injection vulnerabilities.
>
> Of course, then there is the issue of "what if you want to produce an
> SQL expression from a string"? Then you can make that difficult,
> rather than attractive, perhaps requiring the following code:
>
>     with sql.unsafe.disable_all_security_protections:
>         expr = sql.unsafe.compile_string(my_string)
>     cur.execute(expr, (...))
>
> As it stands today, it's very common for people to produce insecure
> code completely by accident. I see it on a regular basis in #python.
> There is no way to resolve this without something similar to E's
> quasiliterals, or these prefixed strings.
>
> -- Devin

-- 
Göktuğ Kayaalp <goktug.kayaalp at gmail.com>

More information about the Python-ideas mailing list