+1 On Fri, May 7, 2021 at 10:42 PM Nick Humrich <[email protected]> wrote:
> PEP 501 was deferred because more learning and time was wanted after > introducing f-strings. Now that it has been 5 years, I wonder what the > possibilities of revisiting PEP 501 are. > > I recently had the experience of using javascript "tagged template > literals" and was able to build a SQL string parser that is impossible to > have SQL injection with. This is done by having the database connection > object only accept a certain type of object, and all sql tagged template > literals become that object. Because variables are lazy evaluated, the > template function can turn all dynamic inputs into parameters in a SQL > query. It is impossible for a dev to accidentally add a user imputed string > as a literal. > PEP 501 already mentions how templates (i-strings?) can solve injection. > This is a very incredible goal. Injection has been the #1 vulnerability on > OWASP for over 10 years, and has been in the top 5 the entire time OWASP > has existed (almost 20 years now). > We have an opportunity to completely remove injection attacks. > > I won't go through and mention other possibilities of i-strings because > the PEP already does an amazing job of doing that. > > > All recent (within the last two years) discussions of PEP 501 have > proposed PEP 501 as a solution to various idea suggested, but then no > further discussion on 501 happened. At least, not that I am aware of. If > any further discussion of 501 has happened, I would be happy to read up and > try to address any concerns. > Some recent discussions were 501 is mentioned: > > https://mail.python.org/archives/list/[email protected]/thread/T3B56IXWSIPYFD33CMOSSYWMHPGLTDEZ/#MEE3X3HNLKU3ZX6JWHP3XCFUHELKHNLK > > https://mail.python.org/archives/list/[email protected]/thread/DX2ILPS2CHH5O5EGHQCAZG27NOZETYYQ/#WFYOO247PYWQNQW5CGOTVVBFBBLGCYCJ > > https://mail.python.org/archives/list/[email protected]/thread/3Z2YTIGJLSYMKKIGRSFK2DTDIXXVDGEK/#JMYEWFPO7XVLAX5VD7TBPNQW53SM3ZPN > > https://mail.python.org/archives/list/[email protected]/thread/DKW6Z6WKRWVPXPKYY2RUEX3NE4YZR5NR/#YBVUA74Y3FX7P5G4V74JQKQAADAUL4EM > > https://mail.python.org/archives/list/[email protected]/thread/ASPNKHVL7MSVVG3LHG2Z6S3SHV6AVIPN/#XKXXE7752ZBVULFTCOEOTZVCXGMXMY4L > > > I would be willing to do any work required to get this PEP improved, but > am very new to the PEP process and is what is needed. What is needed to > revisit PEP 501, and what can I do to help? > > _______________________________________________ > Python-ideas mailing list -- [email protected] > To unsubscribe send an email to [email protected] > https://mail.python.org/mailman3/lists/python-ideas.python.org/ > Message archived at > https://mail.python.org/archives/list/[email protected]/message/5AW73ICBD4CVCRUNISRNAERPPF2KSOGZ/ > Code of Conduct: http://python.org/psf/codeofconduct/ >
_______________________________________________ Python-ideas mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/KRW36VTPDFCGXEAIEN725GU42EFCFJQP/ Code of Conduct: http://python.org/psf/codeofconduct/
