Python 3.11: A Guided Tour Through Code Transcripts
Chapter: Type Updates for 3.11
Lecture: What is a Literal String and Why We Heed It

Learn more about this course
Login or purchase this course to watch this video and the rest of the course contents.
0:00 There's a bunch of other features for python types in 3.11,
0:04 6 or seven that you might really want to pay attention to but they're not that commonly used this one though
0:11 If you're doing anything with something like mypy where it's doing validation of the types really carefully or presumably
0:20 editors like PyCharm will adopt this. Although we saw they're not really doing with the current feature so they're
0:26 not doing with this one either is something called literal strings and we've all heard of SQL injection attacks and other
0:35 types of injection attacks. Think of like the log for j log for shell problems as well.
0:42 There's a bunch of them. So here we have a query that's entirely safe. It's a literal string. It's not made up from variables or combined at runtime.
0:51 It's just static and it says select star from users where validated is true. Hey give me all the validated users easy, easy to do now.
1:01 We might have some code that it's not as good.
1:04 Like what is your child's name then we'll say select star from users where name is quote whatever they typed in
1:12 they typed Jaimee, you're probably going to get the kid named Jamie.
1:16 But if you're feeling a little mischievous, maybe type --semicolon drop table users semicolon--.
1:25 What does that do? The first quote in the name closes out
1:29 the opening quote in the name equals so it would say name equals nothing and then the semi colon ends at
1:35 select statement says new sql statement drop table users in that statement dash dash comment out whatever's after that so that
1:43 it won't make the results invalid or crash. So for example, if there's a transaction so you want that to commit,
1:51 this is not good. This is not good and this is not a literal string because it's made up of different variables at runtime. That's not fine.
2:01 See xkcd exploits of a mom to find out exactly why.


Talk Python's Mastodon Michael Kennedy's Mastodon