added security concern

thomasWeise · thomasWeise · commit a134b5248779 · 2025-03-04T18:47:10.000+08:00
diff --git a/bookbase b/bookbase
@@ -1 +1 @@
-Subproject commit 9fdd0dc0fb7edfd1bdab5eb043613a857bbc1d89
+Subproject commit 3062d8df8f335f3cdc81032aa15f3d5578b85c1d
diff --git a/text/main/basics/variables/typesAndTypeHints/typesAndTypeHints.tex b/text/main/basics/variables/typesAndTypeHints/typesAndTypeHints.tex
@@ -263,6 +263,13 @@
 The idea to first write code and later annotate it with \pglspl{typeHint} is wrong.%
 }%
 %
+Finally, it is worth noting that using static type-checkers can even have a positive influence on security aspects of your code, as you can learn in our \citetitle{databases}~\cite{databases} class.
+Injection attacks such as \pglspl{SQLi} have been an application security concern for decades.
+Such attacks can be prevented if the queries to \dbs\ are never dynamically constructed by the likes of \pglspl{fstring} but instead are always defined as string constants.
+\python\ supports the type~\pythonilIdx{LiteralString} for string constants~\cite{PEP675}.
+Implementations of the \python\ \db\ \pgls{API}, such as \psycopg, can be annotated to only accept such strings.
+Hence, a type checker like \mypy\ would detect and complain if you would try to dynamically construct queries, thus preventing \pglspl{SQLi} -- but only if you use it\dots%
+%
 \FloatBarrier%
 \endhsection%
 %
diff --git a/text/main/introduction/whyPython/whyPython.tex b/text/main/introduction/whyPython/whyPython.tex
@@ -26,6 +26,7 @@
 Indeed, the aforementioned Octoverse report~\cite{GS2024OALPTTLATNOGDS} states that the use in soft computing is one of the drivers of \python's popularity.
 
 Third, there exists a very large set of powerful libraries supporting both research and application development in these fields, including \numpy~\cite{HMvdWGVCWTBSKPHvKBHFdRWPGMSRWAGO2020APWN,N2025N,DBvR2024ITN,J2018NPSCADSAWNSAM}, \pandas~\cite{PD2025P,B2012DPWP,L2024PW}, \scikitlearn~\cite{PVGMTGBPWDVPCBPD2011SMLIP,RLM2022MLWPAS}, \scipy~\cite{VGOHRCBPWBvdWBWMMNJKLCPFMVLPCHQHARPvMS2020SFAFSCIP,J2018NPSCADSAWNSAM}, \tensorflow~\cite{ABCCDDDGIIKLMMMSTVWWYZ2016TASFLSML,L2023TDDBTADMLMWT}, \pytorch~\cite{PGMLBCKLGADKYDRTCSFBC2019PAISHPDLL,RLM2022MLWPAS}, \matplotlib~\cite{HDFDM2012MVWP,H2007MA2GE,P2021HOMLPAVWP,J2018NPSCADSAWNSAM}, \simpy~\cite{Z2024DESIEWS}, and \moptipy~\cite{WW2023RSDEWASSAA}\footnote{Yes, I list \moptipy\ here, next to very well-known and widely-used frameworks, because I am its developer.}, just to name a few.
+There are also many \python\ packages supporting other areas of computer science, that offer, e.g., connectivity to \dbs~\cite{VDGE2010P}, or support for web application development~\cite{T2024MFWAAD,A2024FSFAR}.
 This means that for many tasks, you can find suitable and efficient \python\ libraries that support your work.
 
 Fourth and finally, \python\ is very easy to learn~\cite{GPBS2006WCTIPIHSUP,VR1999CPFERPASEFTPOT}.

Original file line number	Diff line number	Diff line change
`@@ -263,6 +263,13 @@`
`263`	`263`	`The idea to first write code and later annotate it with \pglspl{typeHint} is wrong.%`
`264`	`264`	`}%`
`265`	`265`	`%`
	`266`	`+Finally, it is worth noting that using static type-checkers can even have a positive influence on security aspects of your code, as you can learn in our \citetitle{databases}~\cite{databases} class.`
	`267`	`+Injection attacks such as \pglspl{SQLi} have been an application security concern for decades.`
	`268`	`+Such attacks can be prevented if the queries to \dbs\ are never dynamically constructed by the likes of \pglspl{fstring} but instead are always defined as string constants.`
	`269`	`+\python\ supports the type~\pythonilIdx{LiteralString} for string constants~\cite{PEP675}.`
	`270`	`+Implementations of the \python\ \db\ \pgls{API}, such as \psycopg, can be annotated to only accept such strings.`
	`271`	`+Hence, a type checker like \mypy\ would detect and complain if you would try to dynamically construct queries, thus preventing \pglspl{SQLi} -- but only if you use it\dots%`
	`272`	`+%`
`266`	`273`	`\FloatBarrier%`
`267`	`274`	`\endhsection%`
`268`	`275`	`%`