On Mon, 4 Dec 2006, Barry Warsaw wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Dec 4, 2006, at 5:08 AM, Ben Wing wrote: > > > i see in PEP 3101 that there's some work going on to fix up the string > > formatting capabilities of python. it looks good to me but it still > > doesn't really address the lack of a simple interpolated string > > mechanism, as in perl or ruby.
I don't think there's such a thing. > After several years of use, I'm strongly +1 for this feature in some > form or another. I think it's a terrible idea in almost every form. > There should be little security concern about feature specifically, > but you do need to be aware of an issue once you start hooking into > catalogs. The reason _why_ I think it's such a bad idea is the above statement just doesn't gel with practical experience. Google will find plenty of reading material if you search for "php sql injection" or "php cross-site scripting". That is to say: In many places where string interpolation is used, what you want is NOT a simple interpolation. Perhaps the feature was OK in the dim distant past of Perl, but back then Perl was aimed at being a tool for sysadmins, and sysadmins often deal with plain text files (in the Unix context). When presented with this misfeature, however, novice programmers see it as a great way to construct SQL queries, or perhaps produce html output with variables interpolated. In both instances the convenience of the expression leads to the dark path. So unless there's a way to get strings to magically know their intended use, and to find a type- and use-safe way of doing interpolation that respects the quoting requirements of the eventual use (and I don't think that level of type inference is going to happen in Py3k), I think this is, on a practical level, inviting disaster. You mention the need to quote variables that are interpolated. You're clearly a careful and thoughtful programmer. Python is a great language for novices too, and they may not have even been exposed to the concept of an injection attack. Don't turn Python into the next PHP. Cheers, jan -- jan grant, ISYS, University of Bristol. http://www.bris.ac.uk/ Tel +44 (0)117 3317661 http://ioctl.org/jan/ Whose kung-fu is the best? _______________________________________________ Python-3000 mailing list Python-3000@python.org http://mail.python.org/mailman/listinfo/python-3000 Unsubscribe: http://mail.python.org/mailman/options/python-3000/archive%40mail-archive.com
