Avoid SQL Injection & Logging Overhead with t-Strings
Skills:
Python for Data80%
Key Takeaways
The video discusses using t-Strings to avoid SQL injection and logging overhead, highlighting the limitations of f-strings in addressing these issues, and demonstrating how t-Strings provide a more secure and efficient solution by returning a template object instead of a string.
Full Transcript
two problems that fstrings don't solve which will kind of give you the context as to why this stuff is being done. The logging module still uses the old C style string templates where you've got that whole percent s as a placeholder thing going on. Not all logging calls actually log something. So if you're using the debug call but your level is set to error, then you don't want to spend any time doing calculations on formatting strings. You want to return as quickly as possible and do nothing. If you're using an F string with a login call, the string will get built before the call, meaning you're spending time on it, even if no log message is going to be output. The second problem is one that's also been around for a long time, SQL injection. When you write code to a database API, you are sometimes allowed to write SQL as a string. A nefarious actor might pass in something that also modifies your SQL. This is called an injection, and it's a big problem. Uh the famous little Bobby Tables cartoon is about exactly that. Python is doing the work that takes the fstring template and translating it into the resulting string. You as the programmer don't have any way of stepping into this. So a T-string looks very much like an Fstring, but it begins with the letter T instead, hence the name. But instead of returning a string, it returns a template object. This template object intentionally has no dunder string method. So you can't just cast it to a string. That's exactly what we're trying to avoid. Essentially, what's happening here is a hook into the fstring parser. A processed T-string template object contains the pieces that would have made up the equivalent fing. By doing this, it gives you the ability to deal with each piece separately. For logging, that would mean not invoking all the two string methods on the component arguments. And for something like SQL, it could mean escaping the content in order to avoid that injection
Original Description
From our podcast, episode 251 with Chris Trudeau (hosted by Chris Bailey).
See the XKCD comic here: https://xkcd.com/327/
#softwareengineer #softwaredeveloper #software #softwaredevelopment #learnpython #code #coding #developer #programming #python #tstring #fstring #sql #sqlinjection #logging
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from Real Python · Real Python · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
A better Python REPL – bpython vs python interpreter
Real Python
Introducing large-type.com – A Utility Website
Real Python
Reading Hacker News Without Wasting Tons of Time
Real Python
Forward References and Python 3 Type Hints
Real Python
Using Sublime Text as your Git Editor
Real Python
Python Code Linting and Auto-Complete for Sublime Text
Real Python
Make your Python Code More Readable with Custom Exceptions
Real Python
Write Better Tests with Sublime Text's Split Layout Feature
Real Python
How to Use Sublime Text from the Command Line
Real Python
Rename Variables with Multiple Selection in Sublime Text
Real Python
Sublime Text Settings for Writing PEP 8 Python
Real Python
Write Cleaner Python with Sublime Text's Indent Guides
Real Python
Sublime Text Whitespace Settings for Python Development
Real Python
Function Argument Unpacking in Python
Real Python
Python Code Review: Debugging and Refactoring "Conway's Game of Life" + Automated Tests
Real Python
Using "get()" to Return a Default Value from a Python Dict
Real Python
A Python Shorthand for Swapping Two Variables
Real Python
Python Code Review: Refactoring a Web Scraper, PEP 8 Style Guide Compliance, requirements.txt
Real Python
Click & Jump to Test Failures from the Command Line (iTerm2)
Real Python
Setting up Sublime Text for Python Developers
Real Python
Sublime Text + Python Guide Overview
Real Python
Python Code Review: Adding Pytest Tests to an Existing Python Web Scraper
Real Python
Type-Checking Python Programs With Type Hints and mypy
Real Python
A Shorthand for Merging Dictionaries in Python 3.5+
Real Python
Python Code Review Flask Web Security Tutorial + Virtualenvs, requirements.txt
Real Python
My Python Code Looks Ugly and Confusing – Help!
Real Python
Setting Up a Programmer Portfolio/Developer Blog – How To Get Started
Real Python
Do I Need a GitHub/GitLab/Bitbucket Profile as a Developer?
Real Python
Programmer Portfolio – Example and Walkthrough
Real Python
How to Get Your 1st Speaking Gig at a Tech Conference
Real Python
How to Build Your Public Speaking Skills as a Developer
Real Python
The Object-oriented Version of "Spaghetti Code" is "Lasagna Code" ?!
Real Python
Setting up Sublime Text for Python Developers – Lesson #1
Real Python
Cool New Features in Python 3.6
Real Python
"is" vs "==" in Python – What's the Difference? (And When to Use Each)
Real Python
Emulating switch/case Statements in Python with Dictionaries
Real Python
Python Function Argument Unpacking Tutorial (* and ** Operators)
Real Python
What Code Should I Put On My GitHub/GitLab/BitBucket Profile?
Real Python
A Crazy Python Dictionary Expression ?!
Real Python
String Conversion in Python: When to Use __repr__ vs __str__
Real Python
Method Types in Python OOP: @classmethod, @staticmethod, and Instance Methods
Real Python
Optional Arguments in Python With *args and **kwargs
Real Python
Python Context Managers and the "with" Statement (__enter__ & __exit__)
Real Python
Installing Python Packages with pip and virtualenv / venv
Real Python
"For Each" Loops in Python with enumerate() and range()
Real Python
Python Code Review: LibreOffice Automation and the Python Standard Library
Real Python
Managing Python Dependencies With Pip and Virtual Environments – Lesson #1
Real Python
Python Tutorial: List Comprehensions Step-By-Step
Real Python
Leveraging Python's Implicit "return None" Statements
Real Python
What's the meaning of underscores (_ & __) in Python variable names?
Real Python
Python Data Structures: Sets, Frozensets, and Multisets (Bags)
Real Python
Writing automated tests for Python command-line apps and scripts
Real Python
How to find great Python packages on PyPI, the Python Package Repository
Real Python
Immutable vs Mutable Objects in Python
Real Python
PyPI vs Warehouse, the Next-Generation Python Package Repository
Real Python
pep8.org — The Prettiest Way to View the PEP 8 Python Style Guide
Real Python
My Experience at PyCon 2017 in Portland
Real Python
Pylint Tutorial – How to Write Clean Python
Real Python
"Reverse a List in Python" Tutorial: Three Methods & How-to Demos
Real Python
Python Refactoring: "while True" Infinite Loops & The "input" Function
Real Python
More on: Python for Data
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
The Billion Dollar Business of Making You Forget Passwords
Medium · Cybersecurity
Your ChatGPT History Is a Liability. I Fixed That With a $80 Chip and a Pi5.
Medium · Cybersecurity
Aikido buys Root to patch open source in place, without the upgrade dance
Dev.to · Leo
5G Security: Why Most Operators Are Underprepared for the Threats Standalone Architecture Introduces
Dev.to · 5gwolrdpro
🎓
Tutor Explanation
DeepCamp AI