[thescrewdriver]

I really wish they'd add string interpolation to Go. After being able to use s"My name is $name and surname is $surname" in Scala and "My name is #{name} and surname is #{surname}" in Ruby I find working with printf a giant step backwards.

[why-el]

Ah, I think there should be a formula that spills out how many minutes will pass before language discussion descends to syntax assassination.

I understand your pain, but this is nowhere near a real issue for systems that Go is designed to help build.

I mean, in the thread that announces a new version of a language whose designers made it abundantly clear that it is intended to solve Google's problems, the top comment is about how to interpolate strings? I think they made a very good move by ignoring most syntax requests (There are a lot) and move on. Even better is their decision to harmonize formatting and build the formatter right into the language.

Syntax is extremely overrated, and evidence for it has been provided years ago. [1]

[1] http://c2.com/cgi/wiki?ProgrammingLanguagesAnInterpreterBase...

Edit: typos.

[thescrewdriver]

> I understand your pain, but this is nowhere near a real issue for systems that Go is designed to help build.

I spend most of my day designing and coding the sorts of systems which Go was designed to help build. I'll agree that this isn't a major issue, but it is affecting whether or not I actually enjoy using Go.

[laumars]

I appreciate something like this is best served in the compiler, but would it not be possible to build your own function that provides this functionality?

[NateDad]

Sorta impossible. You can't suck values out of the current context, even with reflection. You always would need to pass values into a function, in which case you might as well use fmt.

[laumars]

I suspected that might have been the case but I haven't played around with reflection enough personally.

Shame :(

[NateDad]

I'm actually hugely not a fan of magically rendering code variables in strings. It's super error prone, and way too magical.

If you really want named variables in format strings you can make a template like "My name is {{.Name}} and surname is {{.Surname}}", and render the template with either a map of strings to strings, or a struct with the right named values.

[DrJokepu]

I wish they didn't! Magic features like this belong to magic languages like Ruby. Go is not meant to be a magic language.

[ahuth]

There isn't much difference between this:

    "My name is #{name} and surname is #{surname}"

and this:

    "My name is " + name + " and surname is " + surname

or this:

    fmt.Println("My name is %s and surname is %s", name, surname)

Except the first one is much more readable.

String interpolation seems like a small thing, but I find myself wanting to use it all the time. It's definitely not a "magic" feature. Javascript really needs it as well.

[lazyjones]

> Except the first one is much more readable.

I disagree, especially in the presence of syntax highlighting editors.

String interpolation would be a redundant alternative to existing mechanisms (the above plus text/template for longer strings) and just make parsing more complex. I don't think it would fit in well with Go's philosophy of providing pleasant, minimalistic syntax.

[thescrewdriver]

I find that there are some disturbing similarities between the Java community and the Go community when it comes to features and culture. There seems to be an unwritten assumption that the language is perfect in its current form and any additional features are a source of evil (up until the day when they are added, in which case they are suddenly evidence of the language's superiority).

[lazyjones]

> the language is perfect in its current form

It works really well in its current form, that is probably the general consensous.

> additional features are a source of evil

Some of us have walked down that path before (e.g. Perl, Scala) and think we have seen the light (or at least the darkness).

> up until the day when they are added, in which case they are suddenly evidence of the language's superiority

That sounded very much like flamebait. Could you name an example of a feature added to Go that was previously considered evil and then as evidence of Go's superiority?

[SiVal]

Thescrewdriver is absolutely correct about Java. Many years ago, I participated in several Java user groups here in Silicon Valley. We frequently had members of the Java team from Sun as guest speakers. It always went roughly the same: we professional Java devs would ask them for a few language features that most of us wanted, and they would explain to us that they knew better than we did what a programming language should have and suggest that we should get over it.

Then a representative from Microsoft started attending a couple of the biggest Java SIGs, and he would ask us how we would change Java if we could. We were happy to answer. A few of the suggestions were broadly desired by the groups.

He took lots of notes, and a year or so later C# was announced. It included several of those features. My impression is that most of us considered it a better Java, as a language design. (The Achilles Heel of its relationship to Microsoft was a huge, but separate, issue from the design of the language itself.)

The Java Team suddenly had a whole new attitude about their fossilized masterpiece, and features we had been told for years were bad ideas were touted as evidence of Java's ongoing spirit of innovation with each new version of Java.

[thescrewdriver]

The first two apply to Go and Java, the last only to Java since Go hasn't added major features recently.

>> additional features are a source of evil

> Some of us have walked down that path before (e.g. Perl, Scala) and think we have seen the light (or at least the darkness).

We've walked down that path and have been very happy and productive with Scala. Each to his own I guess.

[ajanuary]

> I disagree, especially in the presence of syntax highlighting editors.

Every syntax highlighter in an editor I've seen for Ruby handle highlighting string interpolation just fine.

[ahuth]

You're probably right. Also, I obviously should've said, "Except the first one is much more readable to me."

I definitely don't have a problem with the Go developers keeping out random syntax additions unless they think its a really good idea.

Along the same lines, I really miss not having `map`, `reduce`, and `filter` in Go. However, it doesn't seem like those would be efficient in Go, or that they fit in with as well with systems programming, which Go was designed for. So I can't hate them for not including these.

[NateDad]

For what it's worth, I do think it's more readable, but it's just not a good idea. It's too easy for people to inject variables into their strings and get your code to print out data that's in memory.

map, reduce, filter, etc will be easy to code up once there are generics. There will almost certainly be generics in Go at some point, that point is just not right now (and almost certainly not before 2.0).

[jongraehl]

What? There's absolutely no way for a user string to get scanned for format instructions unless you 'eval' or something like that. The proposed syntax is only for string literals in source code.

[rogerbinns]

There is one huge difference - it is far easier to internationalize the first one. The second one is impossible, and the third has ordering issues.

What is the Go best practise for i18n? A google search seems to provide various solutions but not one best practise.

[ajanuary]

What do you mean by being easier to internationalize? Do you mean you can lookup the string at runtime and it will then interpolate on that? That's not a safe way for interpolation to work, because then random strings from unsafe sources can start including any variables from your environment. String interpolation should only apply to string literals. What you actually want (no idea if it's available in Go) is something akin to Sprintf but with named instead of positional arguments, and then explicitly provide a map of those arguments rather than letting it get them from the lexical environment as interpolation does.

[rogerbinns]

You have made the assumption that the values provided just come from the enclosing scopes. The various packages I found all require an explicit map/dictionary passed in - ie there is nothing unsafe - only named values intended for formatting can be used. (The OP likely didn't show the map/dict because that wasn't relevant to their point.)

[sisalcat]

The first one (string with variable interpolation) is not internationalizable, only the third one is.

> the third has ordering issues

In Go you can specify the order in format strings: fmt.Sprintf("%[2]d %[1]d\n", 11, 22)

http://golang.org/pkg/fmt/

[axaxs]

The last example is different - remember to use Printf, else you get: My name is %s and my surname is %s John Smith

I do this unfortunately way more than I want to admit...

[ahuth]

Thanks. I'm definitely not an expert at Go.

[teyc]

String interpolation is wrong in a world where there are so many variants of escaping strings. It is not useful for templating HTML, SQL, CSV, JSON, XML.

This only leaves us console programs and backdoors. I'm happy to give these two up for a stronger language.

[ajanuary]

One difference is that the first one, with a good implementation, will be more efficient because it doesn't need to allocate intermediate strings.

I don't think such a micro-optimisation is enough to sway the argument though.

[thescrewdriver]

Go is designed to be a very practical and productive language. It's not quite clear how you're defining "magic" ...

String interpolation is both practical and useful.

[DrJokepu]

String interpolation is magic because it's not entirely obvious when it happens, what scope rules are followed, if there are any side effects, if the original string is overwritten or whether a new instance is created, what happens when they are used within bodies of loops, what happens when they are used within closures etc., it just works. Sure these can be specified explicitly but they aren't obvious.

It's the kind of feature that is useful when you write an application but not that useful when you're trying to debug it.

[laumars]

I can understand if you don't like the syntax of string interpolation, but that argument is a cop-out.

If you're genuinely confused by it's behaviour then I'd suggest steering clear of the Printf (and even the vanilla Print/Println functions which does concatenation and automatic type conversion).

Or perhaps, a better suggestion would be to read the language specs and learn interpolation's behaviour since this "magic" is almost always well documented [hint: it's actually less complicated than Printf ;)]

[ajanuary]

I'm not really familiar with Go, but surely the answer to almost all of those can be "the same as variables in the same scope as the string"?

[thescrewdriver]

> It's the kind of feature that is useful when you write an application but not that useful when you're trying to debug it.

It's largely used in log messages and the like where it's used for debugging issues after the fact. I've yet to encounter a case where anyone was ever confused by the behaviour.

[DrJokepu]

Right, if this gets in then I officially demand that the much more innocent ternary operator and prefix/postfix increment/decrement operators get in as well.

[LanceH]

If I had to choose, I'd pick string interpolation.

i += 1 means an extra line, but that extra line is very clear.

Ternary vs an if-else arguably loses on clarity except for the simplest of cases.

"Today's date is #{date}. Your balance on account #{account.Number} is #{account.Balance}"

"Today's date is " + date + " Your balance on account " + account.Number + " is " + account.Balance

The second is a mess of +'s and "'s to me, not to mention the awkwardness of formatting spaces before and after each quote. The first, you write a sentence and plug in the variables where they belong.

Not saying you're wrong, just what I would choose.

[jongraehl]

It would be defined as sugar for the regular syntax "blah" + var. Not sure what specifically you find confusing.

[coldtea]

There's nothing "magical" about it.

The intention of the programmer and the result is actually even more explicit than passing the values as arguments to some printf function.

[NateDad]

Uh, grabbing variables out of the current scope to format your string is most certainly magical. It's also way less explicit than actually passing variables into a formatting function.

It might be a little harder to read, but that's a lot different than explicit.

fmt.Sprintf("Hello %s!", username) is very explicitly using the username variable from the local scope, and nothing but the username variable can ever get included in the output string. At most, a user could put a %s in their string, and get the username to appear somewhere else in the output... but they wouldn't be revealing data that wasn't already intended to be printed out.

In comparison, interpolation is opening a door to let anyone extract whatever variables happen to be in scope at the time by putting #{password} or #{secret_key} in their string. By moving the definition of what variables get printed out into the data, you're opening a really big hole in your code... it also makes it a lot harder for the compiler to check for correctness.

[ajanuary]

Can you give an example of your last point?

A language like Ruby will only perform interpolation on string literals, so there isn't a way (that I know of) for data to inject interpolated strings.

Interpolation isn't the same thing as eval.

[NateDad]

I guess that's my lack of knowledge of how Ruby's string interpolation works. I assumed it worked like any old string format, which in other languages can use whatever string is passed into the formatting function. It sounds like that's not the case for Ruby's string interpolation. My apologies for jumping to conclusions. I guess it's my statically compiled mindset that assumes a string is a string.

[ajanuary]

You can kind of think of it as syntactic sugar over adding strings that desugars at the compilation stage.

"abc #{x} def" would desugar to "abc"+x+"def"

Because it's happening at the compilation stage, it can only be done on string literals (which as we've seen is actually an advantage security wise).

The reality is actually a tad more complicated, because you can make efficiency improvements and only create one string instead of all the intermediate strings etc. but the effect is the same.

[ImJasonH]

http://play.golang.org/p/DdwCOZwiCk

[jerf]

One thing Go won't do, is pull the variables out of the local scope into the string interpolation automatically. As I think easy string interpolation is an antipattern, and I'm comfortable having to feed values into the string formatter, I'm not upset, but you're not going to convince people with that.

As we slowly, oh so slowly, but surely move into languages where buffer overflows are not possible to write (or at least require scary excursions into some sort of "unsafe" package), easy string interpolations that allow the programmer to believe they don't have to think about the correct encoding of the value become the next most pressing security threat. Pretty much every "injection" is due to over-simplified string interpolation.

Unfortunately, if your string interpolation syntax is as easy is "This is an interpolated $string"... it's also wrong. Dead wrong, very wrong, run away screaming wrong wrong wrong! String interpolation is actually a very hard problem, and this must irreducibly manifest itself in the API. ImJasonH's example, while it isn't "string interpolation" in the Ruby/Perl/etc. sense, does involve using a template system with sensible escaping mechanisms... it's HTML-specific, though, but for HTML it's incredibly powerful and easy to use correctly. In fact Go's HTML templating is the most powerful and easy-to-use correct HTML templating system I've ever seen that isn't in Haskell. Presumably there are others out there, but I've seen a lot of the competition and most of them will sit by, twiddling their thumbs and whistling idly, while you put 100 injections of every kind into your HTML page.

My guess is Go will never grow this style of string interpolation, pretty much because it is so very, very frequently wrong. The way Go is already doing it is as easy as it can feasibly be, without encouraging wrongness.

[dragonwriter]

I don't understand your claim that strong interpolation is wrong and the source of injection attacks, which are well known where building strings is much harder than interpolation. They come from not validating input data before use; requiring lots of work to build strings doesn't make it any more likely that people will do it safely.

[jerf]

"They come from not validating input data before use;"

I say they come from building APIs that don't require a statement of the correct way to escape output. Of course if your API doesn't require it, it doesn't happen.

Even the way you phrase it is dangerously wrong... validation of input and escaping of output are two entirely different things. I've implied this in my phrasing but let me spell it out, validation happens on the way in and is related to your local semantic domain (business rules, legal values of "an IP address" or "an email", etc), and escaping happens on the way out and is performed by the string "interpolation" or template system. If you've got them munged in your head into one concept, you're probably not writing correct code.

(For what it's worth, I see this formulation of the "root problem" more often than I see the right one. I really ought to write this up as a blog post.)

I'm looking out on the world and seeing what is there, which is a steaming mass of code that incorrectly manages strings. The fact that it is theoretically possible to correctly manage them is not that interesting of a fact, because observationally, it doesn't happen.

[dragonwriter]

> Even the way you phrase it is dangerously wrong... validation of input and escaping of output are two entirely different things.

Yes, they are, but preventing injection attacks is the domain of the former more than the latter, and your suggestion that it is the other way is dangerously wrong. There are security risks addressed by the latter, but if you are relying on it to prevent injection attacks in the usual case [1], it means you are allowing untrusted unvalidated external data into your system and doing general processing on it and just trying to avoid a problem on output.

You prevent injection attacks by preventing malformed data from being injected into the system (at least, from such data making it past a validation component), not by allowing it freely into the system and trying to mitigate certain of its harms by escaping output.

Its true that proper escaping may help to limit injection attacks where imperfect validation has failed to prevent bad data from being accepted and processed, but even there more complicated APIs for string building don't make it more likely that people will do it right.

[1] the one place where it may be a proper mechanism for addressing injection attacks is when you are reporting the rejection of malformed input data, in which case you may have a legitimate need to use (some part of) the malformed data in the error report.

[afarrell]

You are looking at a whole class of bugs as symptoms of a problem with the user interface rather than the user. Except here, the user is a programmer.

[ajanuary]

Nothing in Go pushes you towards using a domain specific templating language rather than Sprintf, only education (and culture) can do that.

So programmers _will_ use Sprintf, because it's one of the first things they'll have been taught, and Sprintf doesn't make dealing with encoding any easier or explicit than string interpolation.

Having string interpolation doesn't mean people can't or won't use domain specific templating languages, and not having it won't make it any more likely that they will.

[dilap]

Pretty much impossible to add at this point w/o breaking back-compat, though, right?

[thescrewdriver]

fmt.RichPrint("....")

[greiskul]

And how would this function capture variables from the local scope? The only way this could be added would be with new syntax.

[thescrewdriver]

I haven't dug into the details, but here's how Scala went about adding string interpolation: https://docs.google.com/document/d/1NdxNxZYodPA-c4MLr33KzwzK...

[dilap]

That's what I was thinking, but now that you mention it, all that is needed is to have introspection gain the ability to examine local variables up the stack, so I guess it's do-able w/ back compat after all.

I wouldn't hold my breath, though.