On 5/7/21 5:56 PM, Nick Humrich wrote:
> Marc,
>
> You might have misunderstood me. I am not recommending sending the
> database raw strings without parameters, but rather that i-strings
> turn things into parameters and its impossible to mess up. Let me
> explain a little.
>
> In sqlalchemy, you can use a format such as "update items set a=:value
> where id=:item_id" then you tell it the value of the parameters.
> SQLAlchemy then takes the :something part of the string and turns it
> into a parameter ($1, $2, etc). The problem being however, there is
> nothing stopping me from doing an f string on accident: f"update items
> set a={something} where id=:value". Because f-strings are eager,
> sqlalchemy cant protect you, you are now vulnerable to injection.
> But with i-strings, because they are not eager, it would actually know
> that you passed in the value as a variable, and turn it into a
> parameter. It knows the difference between the static part of the
> query and the dynamic part of the query, so it can actually protect
> you from yourself, or protect early engineers who don't even know what
> injection is.
>
> Nick
>
I think the issue is what would the result of the i-string actually be?
The database APIs want typically a string + a tuple or a dictionary, two
seperate things. Are you suggesting that to use i-stings, all the API's
need to be adjusted to accept some new type of object that is a
string/dictionary combo?
--
Richard Damon
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/VX4QLIKNONV2UE6KNBJK6KA42MTVIUM7/
Code of Conduct: http://python.org/psf/codeofconduct/
