Author Topic: C# Strings are AWESOME  (Read 12505 times)

Offline Hooman

  • Administrator
  • Hero Member
  • *****
  • Posts: 4955
Re: C# Strings are AWESOME
« Reply #25 on: October 04, 2018, 12:10:43 PM »
Web programming seems like a perfect example of an area where you wouldn't want to trust inputs. Though with templates, usually the format strings are not something the end user has control over, so you should be ok in most cases. It can still be easy to go wrong though, such as the following C code:
Code: c [Select]

printf(userInputtedString);  // Warning! Security risk, don't do this!


The above is actually a security risk, which allows the user to read and display arbitrary memory locations. The proper way is:
Code: c [Select]

printf("%s", userInputtedString);


That way the user input won't be scanned for formatting codes.



For Python, how would you go about creating a dynamic f-string? I assume for language translations, you'd want the f-strings to be dynamic. I'm also curious if there are access rules, or ways to restrict what f-strings may read.
Code: python [Select]

database_password = 'someSuper_secretStr1ng'
username = get_username()

print(f'Welcome {database_password}! ;)')


Offline Arklon

  • Administrator
  • Hero Member
  • *****
  • Posts: 1269
Re: C# Strings are AWESOME
« Reply #26 on: October 04, 2018, 12:25:51 PM »
For Python, how would you go about creating a dynamic f-string? I assume for language translations, you'd want the f-strings to be dynamic. I'm also curious if there are access rules, or ways to restrict what f-strings may read.
Code: python [Select]

database_password = 'someSuper_secretStr1ng'
username = get_username()

print(f'Welcome {database_password}! ;)')


F-strings are awesome, but because they're always evaluated on the spot, they're not very usable as templates. There's a PEP for i-strings which are basically just f-strings that are lazy-evaluated that I hope makes it in.

Offline Angellus Mortis

  • Full Member
  • ***
  • Posts: 138
Re: C# Strings are AWESOME
« Reply #27 on: October 04, 2018, 12:29:48 PM »
Web programming seems like a perfect example of an area where you wouldn't want to trust inputs. Though with templates, usually the format strings are not something the end user has control over, so you should be ok in most cases. It can still be easy to go wrong though, such as the following C code:
Code: c [Select]

printf(userInputtedString);  // Warning! Security risk, don't do this!


Oh yeah yeah. User input validation is a whole other topic. SQL injections, XSS attacks, etc. Web programming tends to be very complicated due to how many moving parts there are to building a "dynamic HTTP application". There are actually a lot of those security layers are just build into the lower framework layers. I mostly like to work with Django (MVC Python Web framework) and it by default assumes all variables coming into or going out of the framework (like when you are parsing GET/POST vars or generating HTML templates) are insecure and need sanitized. With the nature of it being a more dynamic language, you have to build a lot more type and input validation than you would with a high level static compiled language (like C# or Java). Security 101 for Web programming is something called the OWASP Top 10, if you have never heard of it. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

For Python, how would you go about creating a dynamic f-string? I assume for language translations, you'd want the f-strings to be dynamic. I'm also curious if there are access rules, or ways to restrict what f-strings may read.
Code: python [Select]

database_password = 'someSuper_secretStr1ng'
username = get_username()

print(f'Welcome {database_password}! ;)')


That is a wonderful question. I have not had the use case for that yet. It looks like if you need to construct dynamic templates, you usually fall back on the .format method of doing string formatting. Generally once I start getting into advanced string templating, I add a library like Jinja2 or something. Jinja evolved from the Django templating language and now its standalone thing that gets used in a lot of places. I know under the hood both Ansible and Packer use Jinja2 for their templating engine under the hood.
« Last Edit: October 04, 2018, 12:31:59 PM by Angellus Mortis »

Offline Hooman

  • Administrator
  • Hero Member
  • *****
  • Posts: 4955
Re: C# Strings are AWESOME
« Reply #28 on: October 04, 2018, 12:55:16 PM »
Ahh, ok, that makes sense. Having f-strings evaluated in place negates the major security concerns. Makes sense to just use the older .format method for templates, which would be a secure way of doing it, and would allow for dynamic strings and language translations.

I was not aware of the OWASP thing. That is good to know about. Thank you!