top | item 43750250

(no title)

Tenoke | 10 months ago

I don't see what it adds over f-string in that example?

discuss

ds_|10 months ago

The execute function can recognize it as a t-string and prevent SQL injection if the name is coming from user input. f-strings immediately evaluate to a string, whereas t-strings evaluate to a template object which requires further processing to turn it into a string.

Tenoke|10 months ago

Then the useful part is the extra execute function you have to write (it's not just a substitute like in the comment) and an extra function can confirm the safety of a value going into a f-string just as well.

I get the general case, but even then it seems like an implicit anti-pattern over doing db.execute(f"QUERY WHERE name = {safe(name)}")

teruakohatu|10 months ago

If I pass an f-string to a method, it just sees a string. If I pass a t-string the method can decide how to process the t-string.

sureglymop|10 months ago

Wouldn't this precisely lead to sql injection vulnerabilities with f-strings here?

burky|10 months ago

f-strings won’t sanitize the value, so it’s not safe. The article talks about this.

Tenoke|10 months ago

The article talked about it but the example here just assumes they'll be there.

sim7c00|10 months ago

it makes it so people too lazy to make good types and class will be getting closer to sane code without doing sane code...

imagine writing a SqL where u put user input into query string directly.

now remember its 2025, lie down try not to cry.

evertedsphere|10 months ago

safety against sql injection