plenty of things can go wrong, since you have control of how many and which variables to interpolate, e.g:
i"SELECT {settings.SECRET_KEY};"
PS: (I don't know why but HN is not updating the page with the reply links needed, so I'll just edit this)
Yes, I agree. I think that the misunderstanding happened when mixmastamyk wrote
> That's a good thing due to security reasons as arbitrary expressions are allowed. There are plenty of templating solutions available
The point is that even if you don't allow arbitrary expressions (which imho are a mistake, and of which I haven't seen a single use case yet), having this kind of interpolation from strings that are not literals (i.e. are not in the trusted source code) would still be a security issue
Since the PEPs apparently don't propose to extend this to non-literals, we're safe. But it's better to be wary and attentively review such proposals...
In fact, I just realized right now that Animats might have misunderstood PEP 501, since
sql(i"SELECT {column} FROM {table};")
should be perfectly safe from sqli vulns
PPS: Unless Animats is pointing out how switching i'' for f'' is a terribly simple mistake to do and hard to spot during a code review... I agree with that
Yes, I agree. I think that the misunderstanding happened when mixmastamyk wrote
> That's a good thing due to security reasons as arbitrary expressions are allowed. There are plenty of templating solutions available
The point is that even if you don't allow arbitrary expressions (which imho are a mistake, and of which I haven't seen a single use case yet), having this kind of interpolation from strings that are not literals (i.e. are not in the trusted source code) would still be a security issue
Since the PEPs apparently don't propose to extend this to non-literals, we're safe. But it's better to be wary and attentively review such proposals...
In fact, I just realized right now that Animats might have misunderstood PEP 501, since
should be perfectly safe from sqli vulnsPPS: Unless Animats is pointing out how switching i'' for f'' is a terribly simple mistake to do and hard to spot during a code review... I agree with that