It's actually one of the most powerful enhancements one can make to a programming language

Posted Jan 28, 2025 17:46 UTC (Tue) by NYKevin (subscriber, #129325)
In reply to: It's actually one of the most powerful enhancements one can make to a programming language by marcH
Parent article: A revamped Python string-formatting proposal

Unfortunately, that Wikipedia example is probably not the easiest thing to translate into t-strings, because it uses executemany, and it is not immediately obvious how you would implement a t-string version of that.

Here is an exercise that might help illustrate the power of t-strings: Write an example of a "classic" SQL injection vulnerability, using f-strings for naive interpolation, and then change the f to a t. In principle, it is possible for an SQL library to turn the resulting t-string into an entirely safe prepared statement and execute it correctly (at least for the vast majority of real-world interpolations). However, this does require the library to support it, which is an issue. Another issue is that f-strings will serve as an attractive nuisance for less experienced developers, so it is likely wise to introduce a new method or function that *only* accepts t-strings, even for commands that have no interpolations (so that you can't pass it an f-string at all). You could then train developers to only use the new method/function for all SQL execution, and introduce a linter to find uses of the old method/function.

It's actually one of the most powerful enhancements one can make to a programming language

Posted Jan 28, 2025 22:32 UTC (Tue) by LtWorf (subscriber, #124958) [Link] (2 responses)

I don't think your example is great either. If you make a function that reject strings, then a "SELECT name FROM names;" will fail because it's a string. Remember that fstrings do not exist at runtime so you have no way of knowing if it's an fstring or just a regular string with no parameters.

It's actually one of the most powerful enhancements one can make to a programming language

Posted Jan 29, 2025 0:28 UTC (Wed) by NYKevin (subscriber, #129325) [Link] (1 responses)

> I don't think your example is great either. If you make a function that reject strings, then a "SELECT name FROM names;" will fail because it's a string.

Yes, that is the intention.

> Remember that fstrings do not exist at runtime so you have no way of knowing if it's an fstring or just a regular string with no parameters.

And that is why it is the intention - because there is no other way to reject f-strings.

It's actually one of the most powerful enhancements one can make to a programming language

Posted Jan 29, 2025 0:28 UTC (Wed) by NYKevin (subscriber, #129325) [Link]

(In case anyone didn't read the PEP: You can just prefix a literal string with no interpolations with t, and it still gives you a template and not a literal string.)