# **STRING FORMATTING**
* 4 major ways in Python (against "one obvious way to do something" rule from the Zen of Python!)
* pros and cons depending on the use cases

In [None]:
errno = 50159747054
name = 'Bob'

# **1. Old-style string formatting: `%`**
* REFERENCE: https://docs.python.org/3/library/stdtypes.html#printf-style-string-formatting

In [None]:
errno = 50159747054
name = 'Bob'

# Using the %s format specifier
print('Hello, %s' % name)

# Converting int to str and represent it as hexadecimal
print('%x' % errno)

# Using a tuple for multiple substitutions
# because % operator only takes one argument
print('Hey %s, there is a 0x%s error!' % (name, errno))

# Refering to variable substitutions by name (no variable order error)
print('Hey %(name)s, there is a 0x%(errno)x error!' % {
      'name': name, 'errno': errno })

Hello, Bob
badc0ffee
Hey Bob, there is a 0x50159747054 error!
Hey Bob, there is a 0xbadc0ffee error!


### **Flags**
* `#` value conversion will use the 'alternate form'
* `0` conversion will be zero padded for numeric values
* `_` converted value left adjusted (overrides de `Â°` conversion if both are given)
* ` ` (a space) blank left before a positive number (or empty string) produced by a signed conversion
* `+` sign character (`+` or `_`) will precede the conversion (overrides the "space" flag)

### **Length modifiers**
`h`, `l` and `L`: ignored because not necessary for Python (e.g. `%ld` identical to `%d`)

### **Conversion types**
* `d` signed integer decimal
* `x` signed hexadecimal (lowercase)
* `X` signed hexadecimal (uppercase)
* `e` floating point exponential format (lowercase)
* `E` floating point exponential format (uppercase)
* `f` floating point decimal format
* `F` floating point decimal format
* `c` signel character (accepts integer or single character string)
* `r` String (converts any Python object using `repr()`)
* `s` String (converts any Python object using `str()`)
* `a` String (converts any Python object using `ascii()`)
* `%` No argument is converted, results in a `%` character in the result  

### **Precision**  
Precision determines the number of significant digits before and after the decimal point. Defaults to 6.
If precision is `N`, output is truncated to `N` characters

### **Alternate forms**
See documentation  

Since Python strings have an explicit length, `%s` conversions do not assume `'\0'` is the end of the string

# **2. New style string formatting: `format()`**
* REFERENCE: https://docs.python.org/3/library/stdtypes.html#str.format   
* Python 3, later back-ported to Python 2.7

### **Syntax**
```
'Text {field_name:conversion} end'.format(value)
```

### **Type specifying**
* `s` strings
* `d` decimal integers (base-10)
* `f` floating point display
* `c` character
* `b` binary
* `o` octal
* `x` hexadecimal with lowercase letters after 9
* `X` hexadecimal with uppercase letters after 9
* `e` exponent notation

In [1]:
errno = 50159747054
name = 'Bob'

print('Hello, {}'.format(name))

# Using a format spec 'errno:x'
print('Hey {name}, there is a 0x{errno:x} error!'.format(
       name=name, errno=errno))

# Converting base-10 integers to floating point numeric constants
print('This site is {0:f}% {1}'.format(100, 'encrypted'))

print('{0:.2f}%'.format(78.234876))  # Limiting the precision
print('{0:.0f}%'.format(78.234876))  # No decimal places
print('{0:b}%'.format(100))          # Converting to

Hello, Bob
Hey Bob, there is a 0xbadc0ffee error!
This site is 100.000000% encrypted
78.23%
78%
1100100%


# **3. Literal String Interpolation (Python 3.6+)**
* REFERENCE: https://www.python.org/dev/peps/pep-0498/
* _Formatted String Literals_
* Allows embedded expressions inside string constants
* Similar to JavaScript Template Literals added in ES2015

In [None]:
a = 5
b = 7
f'Five plus ten is {a + b}.'

# Behind the scenes
print('Five plus ten is ' + str(a + b) + '.')

# The real implementation is slightly faster:
# it uses BUILD_STRING opcode as an optimization

# Supports the existing string formatting syntax of format()
print(f'Hello {name}, there is an error {errno:#x}')

Five plus ten is 12.
Hello Bob, there is an error 0xbadc0ffee


# **4. Template strings**
* Simpler and less powerful mechanism
* Supplied by a module in the `string` standard library

In [None]:
from string import Template
t = Template ('Hey, $name!')
t.substitute(name=name)

'Hey, Bob!'

In [None]:
# Don't allow format specifiers
t = 'Hey $name, there is a $error error!'
Template(t).substitute(name=name, error=hex(errno))

'Hey Bob, there is a 0xbadc0ffee error!'

* Due to reduced complexity:
  * is a safer choice when handling format strings generated by users of your program
  * more complex formatting techniques might introduce security vulnerabilities to your programs

In [None]:
# Example:
# It's possible for format strings to access arbitrary variables in your program
# So if a malicious user can supply a format string they can alose potentially
# leak secret keys and other sensitive information!
# Example of how this attack might be used:

SECRET = 'this-is-a-secret'

class Error:
  def __init__(self):
    pass

# Secret string can be accessed in the __globals__ dictionary from format string
err = Error()
user_input = '{error.__init__.__globals__[SECRET]}'
user_input.format(error=err)

# Sefest choice:
user_input = '${error.__init__.__globals__[SECRET]}'
Template(user_input).substitute(error=err)
# ValueError: Invalid placeholder in string: line 1, col 1