[Python-ideas] extensible template strings
Wes Turner
wes.turner at gmail.com
Thu Aug 20 05:30:44 CEST 2015
On Aug 19, 2015 8:45 PM, "Yury Selivanov" <yselivanov.ml at gmail.com> wrote:
>
> On 2015-08-19 8:49 PM, Eric V. Smith wrote:
>>
>> On 8/19/2015 8:28 PM, Steven D'Aprano wrote:
>>>
>>> On Wed, Aug 19, 2015 at 08:15:05PM -0400, Eric V. Smith wrote:
>>>>
>>>> On 8/19/2015 7:43 PM, Guido van Rossum wrote:
>>>>>
>>>>> How important is it really to *hide* the fact that this involves a
>>>>> function call?
>>>>
>>>> The only reason PEPs 498 and 501, and by extension Yuri's proposal,
have
>>>> any difference over a function call is the ability to evaluate the
>>>> embedded expressions in the local context, before the function is
>>>> called.
>>>
>>> Isn't that exactly what a normal function call does?
>>>
>>> func(expr)
>>>
>>> evaluates expr in the local context before the function is called.
>>
>> Yes. But you couldn't write:
>>
>> sql('select {columns} from {table}')
>>
>> And have it get columns and table from where the sql function were
>> called. See the discussions preceding PEP 498.
>>
>>> Yuri linked to the Javascript reference for this feature, which
>>> explicitly warns that "template strings" are a security risk:
>>>
>>>
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/template_strings
>>>
>>> It looks to me that the sql'...' version above is trivially vunerable to
>>> code injection attacks.
>>
>> The sql function could do all of the correct escaping. What's generally
>> to be avoided is building the strings without escaping.
>
>
> Exactly.
>
> I'm not sure I buy the security risk argument -- in fact it is
> safer to use sql'...' than to write something like
>
> db.query('select ... where {}'.format(request.get['id']))
One should almost never use str.format for parameterizing SQL queries (how
is this distinct what DBAPI solves for)?
Again, SQLAlchemy dialects demonstrate that this is more complex than just
escaping sqlite / ANSI SQL keywords.
>
>
>>
>> And there's no particular reason that the sql function would even return
>> a string: it might return an object that generated and stored the string
>> "select ? from ?" and stored the values for columns and names (dbapi
>> qmark style).
>
>
> Right, it should be able to return anything.
>
> Yury
>
> _______________________________________________
> Python-ideas mailing list
> Python-ideas at python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20150819/15df5886/attachment.html>
More information about the Python-ideas
mailing list