68

I want to use f-string with my string variable, not with string defined with a string literal, "...".

Here is my code:

name=["deep","mahesh","nirbhay"]
user_input = r"certi_{element}" # this string I ask from user  

for element in name:
    print(f"{user_input}")

This code gives output:

certi_{element}
certi_{element}
certi_{element}

But I want:

certi_{deep}
certi_{mahesh}
certi_{nirbhay}

How can I do this?

peterh
  • 11,875
  • 18
  • 85
  • 108
Deep Ghodasara
  • 768
  • 1
  • 5
  • 9
  • 4
    You ***do not want*** users being able to execute arbitrary code. Make it a dictionary lookup or something like that. – user3483203 Jan 24 '19 at 16:56
  • 2
    @user3483203: where is the user stating that they expect to be able to use arbitrary variables? There is nothing here to say that just any name can be used. – Martijn Pieters Jan 24 '19 at 17:02
  • 1
    @MartijnPieters my comment has nothing to do with arbitrary variables. I'm saying that they shouldn't want an expression inside a user's input to be evaluated. – user3483203 Jan 24 '19 at 17:04
  • 2
    @user3483203: right, I don't know if the OP is expecting full expression support (or are even aware of that feature existing). They are asking for a variable, so `str.format()` more than suffices. – Martijn Pieters Jan 24 '19 at 17:05
  • Related [How to postpone/defer the evaluation of f-strings?](https://stackoverflow.com/questions/42497625/how-to-postpone-defer-the-evaluation-of-f-strings) – wim Sep 21 '20 at 19:08

5 Answers5

70

f"..." strings are great when interpolating expression results into a literal, but you don't have a literal, you have a template string in a separate variable.

You can use str.format() to apply values to that template:

name=["deep","mahesh","nirbhay"]
user_input = "certi_{element}" # this string i ask from user  

for value in name:
    print(user_input.format(element=value))

String formatting placeholders that use names (such as {element}) are not variables. You assign a value for each name in the keyword arguments of the str.format() call instead. In the above example, element=value passes in the value of the value variable to fill in the placeholder with the element.

Unlike f-strings, the {...} placeholders are not expressions and you can't use arbitrary Python expressions in the template. This is a good thing, you wouldn't want end-users to be able to execute arbitrary Python code in your program. See the Format String Syntax documenation for details.

You can pass in any number of names; the string template doesn't have to use any of them. If you combine str.format() with the **mapping call convention, you can use any dictionary as the source of values:

template_values = {
    'name': 'Ford Prefect',
    'number': 42,
    'company': 'Sirius Cybernetics Corporation',
    'element': 'Improbability Drive',
}

print(user_input.format(**template_values)

The above would let a user use any of the names in template_values in their template, any number of times they like.

While you can use locals() and globals() to produce dictionaries mapping variable names to values, I'd not recommend that approach. Use a dedicated namespace like the above to limit what names are available, and document those names for your end-users.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
  • What if I don't know what user give in { }. In our case : element. – Deep Ghodasara Jan 24 '19 at 17:26
  • @DeepGhodasara: you'd still have to tell the user to use specific names. While you can [parse out what names are used in a template](https://stackoverflow.com/q/25996937/100297), you'd still have to map those names to values. I've added how you'd give someone access to multiple names that they can pick from. – Martijn Pieters Jan 24 '19 at 17:45
45

If you define:

def fstr(template):
    return eval(f"f'{template}'")

Then you can do:

name=["deep","mahesh","nirbhay"]
user_input = r"certi_{element}" # this string i ask from user  

for element in name:
    print(fstr(user_input))

Which gives as output:

certi_deep
certi_mahesh
certi_nirbhay

But be aware that users can use expressions in the template, like e.g.:

import os  # assume you have used os somewhere
user_input = r"certi_{os.environ}"

for element in name:
    print(fstr(user_input))

You definitely don't want this!

Therefore, a much safer option is to define:

def fstr(template, **kwargs):
    return eval(f"f'{template}'", kwargs)

Arbitrary code is no longer possible, but users can still use string expressions like:

user_input = r"certi_{element.upper()*2}"

for element in name:
    print(fstr(user_input, element=element))

Gives as output:

certi_DEEPDEEP
certi_MAHESHMAHESH
certi_NIRBHAYNIRBHAY

Which may be desired in some cases.

kadee
  • 8,067
  • 1
  • 39
  • 31
  • 7
    This is the only answer actually answering the question - how to use f-string formatting with a variable. – Zbyněk Winkler Nov 25 '19 at 09:17
  • 5
    This is just a hugely inefficient way of using `template.format(**kwargs)`. Not to mention insecure, as `eval()` lets the user run arbitrary expressions. – Martijn Pieters Sep 16 '20 at 08:35
  • @MartijnPieters, do you mean that the second 'safer' function I defined above is more insecure than an f-string itself? – kadee Sep 18 '20 at 08:16
  • 1
    @kadee: yes, because an f-string is *static*, it's expressions determined up front and unchanging. With `eval()`, you open the door to arbitrary expressions, giving users full access to your process and the access levels your process has. – Martijn Pieters Sep 18 '20 at 20:16
  • Although it is important to mention the security risks this imply, this is the correct answer to the question. Saying, so - I will not add it to public use code - but I found it pretty useful when autogenerating files from templates (e.g. auto-testbench generation for HDL). If risk is an issue, a workaround could be to pre-parse the input string - but not 100% risk free. The risk is the same as running an unknow python script in your app. – Danilo Ramos Nov 06 '20 at 13:24
  • Worth noting that you need to make sure that the template does not contain string inside with same delimiter, e.g. user_input = r'"certi_{element}"' will break the code – middle Jun 09 '23 at 13:36
3

If you want the user to have access to your namespace, you can do that, but the consequences are entirely on you. Instead of using f-strings, you can use the format method to interpolate dynamically, with a very similar syntax.

If you want the user to have access to only a small number of specific variables, you can do something like

name=["deep", "mahesh", "nirbhay"]
user_input = "certi_{element}" # this string i ask from user  

for element in name:
    my_str = user_input.format(element=element)
    print(f"{my_str}")

You can of course rename the key that the user inputs vs the variable name that you use:

my_str = user_input.format(element=some_other_variable)

And you can just go and let the user have access to your whole namespace (or at least most of it). Please don't do this, but be aware that you can:

my_str = user_input.format(**locals(), **globals())

The reason that I went with print(f'{my_str}') instead of print(my_str) is to avoid the situation where literal braces get treated as further, erroneous expansions. For example, user_input = 'certi_{{{element}}}'

Mad Physicist
  • 107,652
  • 25
  • 181
  • 264
1

I was looking for something similar with your problem. I came across this other question's answer: https://stackoverflow.com/a/54780825/7381826

Using that idea, I tweaked your code:

user_input = r"certi_"

for element in name:
    print(f"{user_input}{element}")

And I got this result:

certi_deep
certi_mahesh
certi_nirbhay

If you would rather stick to the layout in the question, then this final edit did the trick:

for element in name:
    print(f"{user_input}" "{" f"{element}" "}")

Reading the security concerns of all other questions, I don't think this alternative has serious security risks because it does not define a new function with eval().

I am no security expert so please do correct me if I am wrong.

José Miguel
  • 92
  • 7
0

This is what you’re looking for. Just change the last line of your original code:

name=["deep","mahesh","nirbhay"]
user_input = "certi_{element}" # this string I ask from user  

for element in name:
  print(eval("f'" + f"{user_input}" + "'"))
David Guidos
  • 9