What were the MS-DOS programs that the moricons.dll icons were intended for? (devblogs.microsoft.com)

SQL-tString is a SQL builder that utilises the recently accepted PEP-750, https://peps.python.org/pep-0750/, t-strings to build SQL queries, for example,

    from sql_tstring import sql
    
    val = 2
    query, values = sql(t"SELECT x FROM y WHERE x = {val}")
    assert query == "SELECT x FROM y WHERE x = ?"
    assert values == [2]
    db.execute(query, values)  # Most DB engines support this

The placeholder ? protects against SQL injection, but cannot be used everywhere. For example, a column name cannot be a placeholder. If you try this SQL-tString will raise an error,

    col = "x"
    sql(t"SELECT {col} FROM y")  # Raises ValueError

To proceed you'll need to declare what the valid values of col can be,

    from sql_tstring import sql_context
    
    with sql_context(columns="x"):
        query, values = sql(t"SELECT {col} FROM y")
    assert query == "SELECT x FROM y"
    assert values == []

Thus allowing you to protect against SQL injection.

As t-strings are format strings you can safely format the literals you'd like to pass as variables,

    text = "world"
    query, values = sql(t"SELECT x FROM y WHERE x LIKE '%{text}'")
    assert query == "SELECT x FROM y WHERE x LIKE ?"
    assert values == ["%world"]

This is especially useful when used with the Absent rewriting value.

SQL-tString is a SQL builder and as such you can use special RewritingValues to alter and build the query you want at runtime. This is best shown by considering a query you sometimes want to search by one column a, sometimes by b, and sometimes both,

    def search(
        *,
        a: str | AbsentType = Absent,
        b: str | AbsentType = Absent
    ) -> tuple[str, list[str]]:
        return sql(t"SELECT x FROM y WHERE a = {a} AND b = {b}")
    
    assert search() == "SELECT x FROM y", []
    assert search(a="hello") == "SELECT x FROM y WHERE a = ?", ["hello"]
    assert search(b="world") == "SELECT x FROM y WHERE b = ?", ["world"]
    assert search(a="hello", b="world") == (
        "SELECT x FROM y WHERE a = ? AND b = ?", ["hello", "world"]
    )

Specifically Absent (which is an alias of RewritingValue.ABSENT) will remove the expression it is present in, and if there an no expressions left after the removal it will also remove the clause.

The other rewriting values I've included are handle the frustrating case of comparing to NULL, for example the following is valid but won't work as you'd likely expect,

    optional = None
    sql(t"SELECT x FROM y WHERE x = {optional}")

Instead you can use IsNull to achieve the right result,

    from sql_tstring import IsNull

    optional = IsNull
    query, values = sql(t"SELECT x FROM y WHERE x = {optional}")
    assert query == "SELECT x FROM y WHERE x IS NULL"
    assert values == []

There is also a IsNotNull for the negated comparison.

The final feature allows for complex query building by nesting a t-string within the existing,

    inner = t"x = 'a'"
    query, _ = sql(t"SELECT x FROM y WHERE {inner}")
    assert query == "SELECT x FROM y WHERE x = 'a'"

This library can be used today without Python3.14's t-strings with some limitations, https://github.com/pgjones/sql-tstring?tab=readme-ov-file#pr..., and I've been doing so this year. Thoughts and feedback very welcome.

Comments (15)

hombre_fatal · 7m ago

I thought this was just going to be the same ol "where id = {id}" interpolation but dang, those are some crazy examples.

I can imagine the behavior takes some trial and error to figure out, but it looks like you can write a search() query that contains fully-loaded sql statement as if all facets were provided, yet you can make each facet optional and those expressions will get removed from the statement.

That would be much nicer than the traditional route of building up a where clause with a bunch of if-statements where it's very hard to understand what the final where clause might look like without print(statement).

I'd rather write the whole SQL statement upfront which this seems to let you do.

jitl · 1h ago

How does the SQL parsing work for the rewrites like removing expressions? I have a project using some non-standard SQL features and we have quite complex queries going on, so the rewriting makes me a bit nervous. The great thing about tstrings for sql is that it’s a total escape from “magick” creating ineffable and unknown sql replacing with very straightforward what you see is what you get sql right in the source code.

Do you support templating a sql tstring into an sql tstring for composition?

I use that feature a lot with the roughly equivalent TypeScript sql`…` template literals for the NOT NULL thing and handling absence but it’s all ternaries in “user space”.

pgjones · 1h ago

The presence of Absent removes the entire expression, and if that removal results in an empty clause (or group) it will remove that as well. For example if `a = Absent` `WHERE a = {a}` will remove everything, whereas `WHERE a = {a} AND b = {b}` will result in `WHERE b = {b}`.

> Do you support templating a sql tstring into an sql tstring for composition?

Yep

schultzer · 1h ago

Just took a quick look, and it seams like the parser is hand written which is great, but you probably want to build a lexer and parser based on the BNF grammar take a look at how I do it here https://github.com/elixir-dbvisor/sql/tree/main/lib and do conformance testing with https://github.com/elliotchance/sqltest

pgjones · 1h ago

Thanks, do you have a reference for SQL grammar - I've had no success finding an official source.

schultzer · 1h ago

You can google SQL grammar. But here is the 2025: https://standards.iso.org/iso-iec/9075/-2/ed-6/en/

pgjones · 1h ago

Thank you! My Google foo did not find this.

schultzer · 1h ago

Not really sure what a t string is or if it’s a macro, but feel similar to https://github.com/elixir-dbvisor/sql but less elegant and ergonomic.

1_08iu · 5m ago

t-strings (or template strings) are an upcoming Python 3.14 feature. They have similar syntax to f-strings (which were introduced in 3.6) except that they provide access to the string and the interpolated values (the bits inside the curly brackets) before they have been combined. Previously, something like

  db.query(f"SELECT * FROM table WHERE id={id};")

would have been vulnerable to the classic "bobby tables" SQL injection but t-strings allow for almost the same syntax (which is quite natural for Python programmers) without incurring a security risk.

If you are curious, t-strings have previously been discussed here (https://news.ycombinator.com/item?id=43748512 and https://news.ycombinator.com/item?id=43647716) and you can read the PEP that proposed their addition to the language (https://peps.python.org/pep-0750/).

sirfz · 1h ago

Technically this enforces parameterized queries since all it does is basically return the parameterized query in the given db client dialect and the list of parameters. It could be useful for building a unified interface for all sql db clients for example (instead of having to remember whether parameters are %s or ? or {param}, etc). On the other hand, db clients can utilize t-strings to directly allow you to safely execute queries such as t"select * from table where id = {id}" without passing any extra parameters.

No comments yet

owlstuffing · 28m ago

Languages should strive to type safely inline SQL and other structured data.

With Java the manifold project achieves this via compiler plugin. The manifold-sql[1] module provides inline, type safe, native SQL.

1.https://github.com/manifold-systems/manifold/blob/master/man...

schultzer · 21m ago

If your language has macros you can get by as well https://github.com/elixir-dbvisor/sql

90s_dev · 1h ago

Your library looks great. But a tangential rant about t-strings, using lexical scope for placeholder lookup is just a terrible, terrible design. It should be explicitly passed in a dictionary. I'm not sure why they made this decision.

jitl · 1h ago

If they’re gonna do that why bother making a new concept? You could already build(normalString, someDict)

Like why make me state “A goes here, also the value of A is 1” when I can just say “1 goes here”? When I build an array or map, I just write the expression

{ key1: value1 }

I don’t need to write

build({ key1, value1 }, { “key1”: key1, “value1”: value1 })

Why should an sql literal be any different from an array or dictionary literal?

90s_dev · 1h ago

Yeah in retrospect it's identical to what JavaScript does with string literals. I don't know what I was thinking.

Show HN: Visual flow-based programming for Erlang, inspired by Node-RED (github.com)

A Research Preview of Codex (openai.com)

I'm Peter Roberts, immigration attorney, who does work for YC and startups. AMA

Assuring an Accurate Research Record (economics.mit.edu)

The first year of free-threaded Python (labs.quansight.org)

Show HN: SQL-tString a t-string SQL builder in Python (github.com)

Sci-Net (sci-hub.se)

Explaining British Naval Dominance During the Age of Sail (lesswrong.com)

Show HN: Rv, a Package Manager for R (github.com)

Ground control to Major Trial (virtualize.sh)

Tower Defense: Cache Control (jasonthorsness.com)

Material 3 Expressive (design.google)

Evolution of Rust Compiler Errors (kobzol.github.io)

Dalus (YC W25) is hiring an engineer for hardware system design software (ycombinator.com)

What were the MS-DOS programs that the moricons.dll icons were intended for? (devblogs.microsoft.com)

Ollama's new engine for multimodal models (ollama.com)

The Awful German Language (1880) (faculty.georgetown.edu)

Náhuatl and Mayan Language Renaissance Occurring in Mexico (yucatanmagazine.com)

Baby is healed with first personalized gene-editing treatment (nytimes.com)

The average workday increased during the pandemic’s early weeks (2020) (library.hbs.edu)

Beyond Text: On-Demand UI Generation for Better Conversational Experiences (blog.fka.dev)

Teal – A statically-typed dialect of Lua (teal-language.org)

Ed Smylie, Who Saved the Apollo 13 Crew with Duct Tape, Dies at 95 (nytimes.com)

BuyMeACoffee silently dropped support for many countries (2024) (zverok.space)

Cracked – Method chaining/CSS-style selector web audio library (github.com)

Launch HN: Tinfoil (YC X25): Verifiable Privacy for Cloud AI

Zinc Microcapacitors Are the Best of Both Worlds (spectrum.ieee.org)

Ollama violating llama.cpp license for over a year (github.com)

Windsurf SWE-1: Our First Frontier Models (windsurf.com)

Thermoelectric generator based on a robust carbon nanotube/BiSbTe foam (onlinelibrary.wiley.com)

Java at 30: The Genius Behind the Code That Changed Tech (thenewstack.io)

Lock-Free Rust: How to Build a Rollercoaster While It's on Fire (yeet.cx)

Tek – A music making program for 24-bit Unicode terminals (codeberg.org)

A leap year check in three instructions (hueffner.de)

Leeks and Leaks (daniel.haxx.se)

GTK Krell Monitors (gkrellm.srcbox.net)

The current state of TLA⁺ development (ahelwer.ca)

NASA keeps ancient Voyager 1 spacecraft alive with Hail Mary thruster fix (theregister.com)

Comma 3X: Initial Impressions (beesbuzz.biz)

The unreasonable effectiveness of an LLM agent loop with tool use (sketch.dev)

Archisuits (2005–2006) (insecurespaces.net)

“The Mind in the Wheel” lays out a new foundation for the science of mind (experimental-history.com)

Coinbase says hackers bribed staff to steal customer data, demanding $20M ransom (cnbc.com)

Dr. Dobb's Journal interviews Jef Raskin (1986) (computeradsfromthepast.substack.com)

Rolling Highway (en.wikipedia.org)

After months of coding with LLMs, I'm going back to using my brain (albertofortin.com)

In the US, a rotating detonation rocket engine takes flight (arstechnica.com)

Working on complex systems: What I learned working at Google (thecoder.cafe)

Show HN: A free AI risk assessment tool for LLM applications (gettavo.com)

OWASP Top for Large Language Model Applications (owasp.org)

Show HN: SQL-tString a t-string SQL builder in Python

Comments (15)