[Python-ideas] Custom string prefixes
Chris Angelico
rosuav at gmail.com
Thu May 30 05:30:18 CEST 2013
On Thu, May 30, 2013 at 10:37 AM, Steven D'Aprano <steve at pearwood.info> wrote:
> But putting that aside, it has to be a built-in type only accessible as a
> literal, because if it is a function that takes a string argument, say,
> sql(), then you'll have exactly the same issue. Some people will write this:
>
> cur.execute(sql("..." % (...)))
>
> instead of one of these:
>
> cur.execute(sql("..."), (...))
> cur.execute(sql:"...", (...))
>
>
> So that effectively rules out any user-land solution.
Actually, there is a user-land solution! It just isn't 100% perfect.
My old-favorite, the linter...
All you need is an intelligent code-parsing tool that gives you a
warning if you call sql() with anything other than a literal - or, for
that matter, skip the sql() check and give a warning if .execute()'s
first parameter is not a literal. Put that into your makefile or
repository pre-commit hook and you should have no trouble keeping
yourself safe.
Disadvantage: Doesn't actually protect you, just helps you keep yourself safe.
Advantages: Works on existing releases of Python; can be customized to
your own personal requirements.
ChrisA
More information about the Python-ideas
mailing list