Hacker News: pgjones

New comment by pgjones in "Show HN: SQL-tString a t-string SQL builder in Python"

pgjones — Sat, 17 May 2025 20:22:05 +0000

The `sql_context` feature is meant to protect against SQL injection. I think for your usecase you would need to supply all columns, but you could used nested t-strings included based on whatever logic you need.

New comment by pgjones in "Show HN: SQL-tString a t-string SQL builder in Python"

pgjones — Fri, 16 May 2025 19:12:06 +0000

It does parse the SQL. At the moment an expression is defined as all the text between the appropriate separators given the clause.

New comment by pgjones in "Show HN: SQL-tString a t-string SQL builder in Python"

pgjones — Fri, 16 May 2025 17:07:06 +0000

Sorry that is a typo, I meant,

    with sql_context(columns={"x"}):

New comment by pgjones in "Show HN: SQL-tString a t-string SQL builder in Python"

pgjones — Fri, 16 May 2025 14:37:57 +0000

Thank you! My Google foo did not find this.

New comment by pgjones in "Show HN: SQL-tString a t-string SQL builder in Python"

pgjones — Fri, 16 May 2025 14:37:17 +0000

The presence of Absent removes the entire expression, and if that removal results in an empty clause (or group) it will remove that as well. For example if `a = Absent` `WHERE a = {a}` will remove everything, whereas `WHERE a = {a} AND b = {b}` will result in `WHERE b = {b}`.

> Do you support templating a sql tstring into an sql tstring for composition?

Yep

New comment by pgjones in "Show HN: SQL-tString a t-string SQL builder in Python"

pgjones — Fri, 16 May 2025 14:35:14 +0000

Thanks, do you have a reference for SQL grammar - I've had no success finding an official source.

Show HN: SQL-tString a t-string SQL builder in Python

pgjones — Fri, 16 May 2025 12:48:22 +0000

SQL-tString is a SQL builder that utilises the recently accepted PEP-750, https://peps.python.org/pep-0750/, t-strings to build SQL queries, for example,

    from sql_tstring import sql
    
    val = 2
    query, values = sql(t"SELECT x FROM y WHERE x = {val}")
    assert query == "SELECT x FROM y WHERE x = ?"
    assert values == [2]
    db.execute(query, values)  # Most DB engines support this

The placeholder ? protects against SQL injection, but cannot be used everywhere. For example, a column name cannot be a placeholder. If you try this SQL-tString will raise an error,

    col = "x"
    sql(t"SELECT {col} FROM y")  # Raises ValueError

To proceed you'll need to declare what the valid values of col can be,

    from sql_tstring import sql_context
    
    with sql_context(columns="x"):
        query, values = sql(t"SELECT {col} FROM y")
    assert query == "SELECT x FROM y"
    assert values == []

Thus allowing you to protect against SQL injection.

As t-strings are format strings you can safely format the literals you'd like to pass as variables,

    text = "world"
    query, values = sql(t"SELECT x FROM y WHERE x LIKE '%{text}'")
    assert query == "SELECT x FROM y WHERE x LIKE ?"
    assert values == ["%world"]

This is especially useful when used with the Absent rewriting value.

SQL-tString is a SQL builder and as such you can use special RewritingValues to alter and build the query you want at runtime. This is best shown by considering a query you sometimes want to search by one column a, sometimes by b, and sometimes both,

    def search(
        *,
        a: str | AbsentType = Absent,
        b: str | AbsentType = Absent
    ) -> tuple[str, list[str]]:
        return sql(t"SELECT x FROM y WHERE a = {a} AND b = {b}")
    
    assert search() == "SELECT x FROM y", []
    assert search(a="hello") == "SELECT x FROM y WHERE a = ?", ["hello"]
    assert search(b="world") == "SELECT x FROM y WHERE b = ?", ["world"]
    assert search(a="hello", b="world") == (
        "SELECT x FROM y WHERE a = ? AND b = ?", ["hello", "world"]
    )

Specifically Absent (which is an alias of RewritingValue.ABSENT) will remove the expression it is present in, and if there an no expressions left after the removal it will also remove the clause.

The other rewriting values I've included are handle the frustrating case of comparing to NULL, for example the following is valid but won't work as you'd likely expect,

    optional = None
    sql(t"SELECT x FROM y WHERE x = {optional}")

Instead you can use IsNull to achieve the right result,

    from sql_tstring import IsNull

    optional = IsNull
    query, values = sql(t"SELECT x FROM y WHERE x = {optional}")
    assert query == "SELECT x FROM y WHERE x IS NULL"
    assert values == []

There is also a IsNotNull for the negated comparison.

The final feature allows for complex query building by nesting a t-string within the existing,

    inner = t"x = 'a'"
    query, _ = sql(t"SELECT x FROM y WHERE {inner}")
    assert query == "SELECT x FROM y WHERE x = 'a'"

This library can be used today without Python3.14's t-strings with some limitations, https://github.com/pgjones/sql-tstring?tab=readme-ov-file#pr..., and I've been doing so this year. Thoughts and feedback very welcome.

Comments URL: https://news.ycombinator.com/item?id=44004827

Points: 85

# Comments: 35

New comment by pgjones in "PEP 750 – Template Strings"

pgjones — Thu, 10 Apr 2025 21:49:06 +0000

If you want to see a usage for this I've built, and use, [SQL-tString](https://github.com/pgjones/sql-tstring) as an SQL builder.

New comment by pgjones in "What's up Python? Django get background tasks, a new REPL, bye bye gunicorn"

pgjones — Tue, 25 Jun 2024 13:53:19 +0000

Quart, the ASGI version of Flask, also has background tasks, https://quart.palletsprojects.com/en/latest/how_to_guides/ba..., and there is an extension Quart-Tasks, https://github.com/pgjones/quart-tasks, to run them on a schedule. Via

    @tasks.cron("*/5 * * * *")  # every 5 minutes
    async def infrequent_task():
        ...

In addition Hypercorn, https://github.com/pgjones/hypercorn, (a ASGI and WSGI) also does not use gunicorn, having migrated many years ago.

New comment by pgjones in "Visualizing algorithms for rate limiting"

pgjones — Fri, 17 May 2024 08:37:49 +0000

It is a shame GCRA is not more well known and used for rate limiting. It is, in my view, a better algorithm.

https://medium.com/smarkets/implementing-gcra-in-python-5df1... https://en.m.wikipedia.org/wiki/Generic_cell_rate_algorithm

New comment by pgjones in "Tell HN: Flask and Quart have now partially merged"

pgjones — Sun, 01 Oct 2023 13:45:18 +0000

Yes, I've written about this comparison in detail https://pgjones.dev/blog/fastapi-flask-quart-2022/.

New comment by pgjones in "Tell HN: Flask and Quart have now partially merged"

pgjones — Sun, 01 Oct 2023 09:25:15 +0000

There are new logos for all the Pallets projects and Pallets itself, based on a common theme.

Tell HN: Flask and Quart have now partially merged

pgjones — Sun, 01 Oct 2023 08:49:26 +0000

Flask is a web microframework built to be used with WSGI servers and synchronous code. Quart is the same web microframework built to be used with ASGI servers and asynchronous code. In other words Flask and Quart are now the same base framework as they share the majority of their codebases.

This means that you can use the same framework API and understanding to write synchronous code with Flask, and asynchronous code with Quart.

It is important to note that Flask cannot be made asynchronous without breaking extension and backwards compatibility, or without using monkeypatching. Therefore, Quart is best viewed as a namespace for async/await usages.

Questions and comments very welcome. (I'm struggling a little thinking about how best to communicate this)

Comments URL: https://news.ycombinator.com/item?id=37724032

Points: 20

# Comments: 7

New comment by pgjones in "Ask HN: Could you share your personal blog here?"

pgjones — Wed, 05 Jul 2023 12:15:21 +0000

https://pgjones.dev

I blog mostly about Python web developed, especially Flask, Quart and Hypercorn related aspects.

Tips and techniques for modern Flask apps

pgjones — Mon, 06 Feb 2023 14:28:34 +0000

Article URL: https://pgjones.dev/blog/modern-flask-2023/

Comments URL: https://news.ycombinator.com/item?id=34677695

Points: 2

# Comments: 0

New comment by pgjones in "Ask HN: What have you created that deserves a second chance on HN?"

pgjones — Thu, 26 Jan 2023 16:09:44 +0000

I've three things :),

1. Quart, https://quart.palletsprojects.com, an ASGI (async/await) re-implementation of the Python web MicroFramework Flask. It is now maintained alongside, by the same people, as Flask.

2. Hypercorn, https://hypercorn.readthedocs.io, an ASGI/WSGI server that supports HTTP/1, HTTP/2, and HTTP/3.

3. My book "A Blueprint for Production-Ready Web Applications", which uses both of the above and shows a beginner how to build a full stack app (React frontend) running on AWS. See https://pgjones.dev/tozo/ for details, code, and link to the example app.

New comment by pgjones in "There are no open issues or pull requests on Flask"

pgjones — Sat, 02 Jul 2022 08:21:55 +0000

It is also easier to manage for Flask - it is very mature and we fixed most of the issues present in FastAPI many years ago.

New comment by pgjones in "There are no open issues or pull requests on Flask"

pgjones — Sat, 02 Jul 2022 08:19:43 +0000

Flask supports async, see https://flask.palletsprojects.com/en/2.1.x/async-await/.

Also see Quart https://github.com/pgjones/quart (which is Flask re-implemented with async-await) and Quart-Schema, https://github.com/pgjones/quart-schema for swagger docs.

Faster Routing for Flask and Quart

pgjones — Fri, 01 Jul 2022 15:47:01 +0000

Article URL: https://pgjones.dev/blog/faster-routing-2022/

Comments URL: https://news.ycombinator.com/item?id=31948086

Points: 4

# Comments: 0

New comment by pgjones in "Gunicorn"

pgjones — Tue, 11 Jan 2022 12:16:44 +0000

Or Hypercorn https://gitlab.com/pgjones/hypercorn if you want HTTP/1, HTTP/2, and HTTP/3.