Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
nhumrich 9 days ago

> You could achieve the same thing with a function returning an f-string no no.

> just use a tag type and a sanitisation function that takes a string and returns the type

Okay, so you have a `sqlstring(somestring)` function, and the dev has to call it. But... what if they pass in an f-string?

`sqlstring(f'select from mytable where col = {value}')`

You havent actually prevented/enforced anything. With template strings, its turtles all the way down. You can enforce they pass in a template and you can safely escape anything that is a variable because its impossible to have a variable type (possible injection) in the template literal.

ratorx 9 days ago | parent [-]

Added example to parent comment.

This example still works, the entire f-string is sanitised (including whatever the value of name was). Assuming sqlstring is the sanitisation function.

The “template” would be a separate function that returns an f-string bound from function arguments.

nhumrich 9 days ago | parent [-]

Yes. Only if your dev remembers to use sanatized all the time. This is how most SQL works today. You could also forget and accidentally write a f-string, or because you dont know. But with t-strings you can actually prevent unsanatized inputs. With your example, you need to intentionally sanitize still.

You cant throw an error on unsanitized because the language has no way to know if its sanitized or not. Either way, its just a string. "returning an f-string" is equivalent to returning a normal string at runtime.

ratorx 9 days ago | parent | next [-]

Well you enforce this with types. That’s how every other language does it. By specifying that the type of the function has to be a sanitised string, it will reject unsanitised string with the type checker.

> it has no way of knowing if it’s sanitised or not

It does. You define the SanitisedString class. Constructing one sanitises the string. Then when you specify that as the argument, it forces the user to sanitise the string.

If you want to do it without types, you can check with `isinstance` at runtime, but that is not as safe.

nhumrich 9 days ago | parent [-]

Your example is a bit too simple. What I mean by that is, you have hardcoded your function to inject a specific part of your string. But t-strings allow you to write the full query `t'select * from table where name = {name}'` directly, without have to use a function. This matters because the SQL connection library itself can enforce templates. SQL libraries can NOT enforce "sanitized types" because then you couldnt write raw sql without problems. They have to know the difference between "this is hard coded" and "this is a dynamic user variable". And the libraries can't know that, without t-strings.

stefan_ 9 days ago | parent | prev [-]

No, most SQL today uses placeholders and has since circa 2008. If you are sanitizing you are doing it wrong to begin with.