90

I want to use f-string with my string variable, not with string defined with a string literal, "...".

Here is my code:

name=["deep","mahesh","nirbhay"]
user_input = r"certi_{element}" # this string I ask from user  

for element in name:
    print(f"{user_input}")

This code gives output:

certi_{element}
certi_{element}
certi_{element}

But I want:

certi_{deep}
certi_{mahesh}
certi_{nirbhay}

How can I do this?

See also: How to postpone/defer the evaluation of f-strings?

Improve this question
5
  • 6
    You do not want users being able to execute arbitrary code. Make it a dictionary lookup or something like that. Commented Jan 24, 2019 at 16:56
  • 3
    @user3483203: where is the user stating that they expect to be able to use arbitrary variables? There is nothing here to say that just any name can be used. Commented Jan 24, 2019 at 17:02
  • 1
    @MartijnPieters my comment has nothing to do with arbitrary variables. I'm saying that they shouldn't want an expression inside a user's input to be evaluated. Commented Jan 24, 2019 at 17:04
  • 2
    @user3483203: right, I don't know if the OP is expecting full expression support (or are even aware of that feature existing). They are asking for a variable, so str.format() more than suffices. Commented Jan 24, 2019 at 17:05
  • Related How to postpone/defer the evaluation of f-strings? Commented Sep 21, 2020 at 19:08

6 Answers 6

Reset to default
99

f"..." strings are great when interpolating expression results into a literal, but you don't have a literal, you have a template string in a separate variable.

You can use str.format() to apply values to that template:

name=["deep","mahesh","nirbhay"]
user_input = "certi_{element}" # this string i ask from user  

for value in name:
    print(user_input.format(element=value))

String formatting placeholders that use names (such as {element}) are not variables. You assign a value for each name in the keyword arguments of the str.format() call instead. In the above example, element=value passes in the value of the value variable to fill in the placeholder with the element.

Unlike f-strings, the {...} placeholders are not expressions and you can't use arbitrary Python expressions in the template. This is a good thing, you wouldn't want end-users to be able to execute arbitrary Python code in your program. See the Format String Syntax documenation for details.

You can pass in any number of names; the string template doesn't have to use any of them. If you combine str.format() with the **mapping call convention, you can use any dictionary as the source of values:

template_values = {
    'name': 'Ford Prefect',
    'number': 42,
    'company': 'Sirius Cybernetics Corporation',
    'element': 'Improbability Drive',
}

print(user_input.format(**template_values)

The above would let a user use any of the names in template_values in their template, any number of times they like.

While you can use locals() and globals() to produce dictionaries mapping variable names to values, I'd not recommend that approach. Use a dedicated namespace like the above to limit what names are available, and document those names for your end-users.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

What if I don't know what user give in { }. In our case : element.
@DeepGhodasara: you'd still have to tell the user to use specific names. While you can parse out what names are used in a template, you'd still have to map those names to values. I've added how you'd give someone access to multiple names that they can pick from.
54

If you define:

def fstr(template):
    return eval(f"f'{template}'")

Then you can do:

name=["deep","mahesh","nirbhay"]
user_input = r"certi_{element}" # this string i ask from user  

for element in name:
    print(fstr(user_input))

Which gives as output:

certi_deep
certi_mahesh
certi_nirbhay

But be aware that users can use expressions in the template, like e.g.:

import os  # assume you have used os somewhere
user_input = r"certi_{os.environ}"

for element in name:
    print(fstr(user_input))

You definitely don't want this!

Therefore, a much safer option is to define:

def fstr(template, **kwargs):
    return eval(f"f'{template}'", kwargs)

Arbitrary code is no longer possible, but users can still use string expressions like:

user_input = r"certi_{element.upper()*2}"

for element in name:
    print(fstr(user_input, element=element))

Gives as output:

certi_DEEPDEEP
certi_MAHESHMAHESH
certi_NIRBHAYNIRBHAY

Which may be desired in some cases.

Improve this answer

7 Comments

This is the only answer actually answering the question - how to use f-string formatting with a variable.
This is just a hugely inefficient way of using template.format(**kwargs). Not to mention insecure, as eval() lets the user run arbitrary expressions.
@kadee: yes, because an f-string is static, it's expressions determined up front and unchanging. With eval(), you open the door to arbitrary expressions, giving users full access to your process and the access levels your process has.
Although it is important to mention the security risks this imply, this is the correct answer to the question. Saying, so - I will not add it to public use code - but I found it pretty useful when autogenerating files from templates (e.g. auto-testbench generation for HDL). If risk is an issue, a workaround could be to pre-parse the input string - but not 100% risk free. The risk is the same as running an unknow python script in your app.
Worth noting that you need to make sure that the template does not contain string inside with same delimiter, e.g. user_input = r'"certi_{element}"' will break the code
|
3

If you want the user to have access to your namespace, you can do that, but the consequences are entirely on you. Instead of using f-strings, you can use the format method to interpolate dynamically, with a very similar syntax.

If you want the user to have access to only a small number of specific variables, you can do something like

name=["deep", "mahesh", "nirbhay"]
user_input = "certi_{element}" # this string i ask from user  

for element in name:
    my_str = user_input.format(element=element)
    print(f"{my_str}")

You can of course rename the key that the user inputs vs the variable name that you use:

my_str = user_input.format(element=some_other_variable)

And you can just go and let the user have access to your whole namespace (or at least most of it). Please don't do this, but be aware that you can:

my_str = user_input.format(**locals(), **globals())

The reason that I went with print(f'{my_str}') instead of print(my_str) is to avoid the situation where literal braces get treated as further, erroneous expansions. For example, user_input = 'certi_{{{element}}}'

Improve this answer

1 Comment

Why the assumption that there the name element is arbitrary?
1

I was looking for something similar with your problem. I came across this other question's answer: https://stackoverflow.com/a/54780825/7381826

Using that idea, I tweaked your code:

user_input = r"certi_"

for element in name:
    print(f"{user_input}{element}")

And I got this result:

certi_deep
certi_mahesh
certi_nirbhay

If you would rather stick to the layout in the question, then this final edit did the trick:

for element in name:
    print(f"{user_input}" "{" f"{element}" "}")

Reading the security concerns of all other questions, I don't think this alternative has serious security risks because it does not define a new function with eval().

I am no security expert so please do correct me if I am wrong.

Improve this answer

Comments

0

This is what you’re looking for. Just change the last line of your original code:

name=["deep","mahesh","nirbhay"]
user_input = "certi_{element}" # this string I ask from user  

for element in name:
  print(eval("f'" + f"{user_input}" + "'"))
Improve this answer

Comments

0

I recently (September 3, 2024) had a need to use a string variable holding an f-string to connect to a SQLite Cloud database, using information I wanted to keep private inside a .env file.

The template was part of the key/value pairs stored inside my .env file:

sqlite_cloud_connection_template = 'sqlitecloud://{project_name}:{port_number}/{database_name}?apikey={api_key}'
sqlite_cloud_project_name = 'YOUR PROJECT NAME'
sqlite_cloud_project_port = 'YOUR PORT NUMBER'
sqlite_cloud_db_name = 'YOUR DATABASE NAME'
sqlite_cloud_api_key = 'YOUR API KEY'

Inside a class called Settings (settings.py) I defined the following static method that calls other static methods to get the components needed to build the final string result:

    
    @classmethod
    def cloud_connection_string(cls) -> str:
        """ Return the SQLite Cloud connection string from its components using an f-string template.
        'sqlitecloud://{project_name}:{port_number}/{database_name}?apikey={api_key}'
        """
        return cls.cloud_connection_template().format(project_name=cls.cloud_project_name(),
                                                      port_number=cls.cloud_project_port(),
                                                      database_name=cls.database_name(),
                                                      api_key=cls.cloud_api_key())

The public repo is in GitLab here: Python Sqlite Cloud Example

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.