string-format | An alternative for String.format when you have a lot | Runtime Evironment library

I am parsing the dates of my dataset, but am encountering a lot of ParserError because the hours are often in the wrong format. I've decided to skip the hours and only focus on Years, Months, Days

These are the variants I have for date:

| Startdate |

| --- |

| March 23, 2022 6:00 |

| March 23, 2022 7:0 |

| March 23, 2022 7: |

| March 23, 2022 7 |

For now, only the first date/row works for parsing data. I currently skip the other rows, however I would want to also include them by just excluding the hours.

In Python, I want to both (a) use the str.format method to print strings with a fixed width and (b) use yachalk/chalk (see also this answer) to color the output sent to the terminal.

When I use str.format without yachalk, I successfully achieve the fixed-width output. However, when I add yachalk to the mix, I get the colored output I seek, but the strings all run together, ignoring the fixed-width formatting.

Here's my test-case code, followed by screenshot of the terminal output.

Am I doing something wrong? Is yachalk incompatible with str.format?

I have a fairly simple string-formatted json column in a BigQuery database I am trying to flatten.

Running:

I am trying to pass multiple Python variables to an SQL query in pymysql but always receive "TypeError: not all arguments converted during string formatting". For debugging purposes, there are no other records in this table:

From various sources, I have come to the understanding that there are four main techniques of string formatting/interpolation in Python 3 (3.6+ for f-strings):

1. Formatting with %, which is similar to C's printf
2. The str.format() method
3. Formatted string literals/f-strings
4. Template strings from the standard library string module

My knowledge of usage mainly comes from Python String Formatting Best Practices (source A):

• str.format() was created as a better alternative to the %-style, so the latter is now obsolete
  • However, str.format() is vulnerable to attacks if user-given format strings are not properly handled
• f-strings allow str.format()-like behavior only for string literals but are shorter to write and are actually somewhat-optimized syntactic sugar for concatenation
• Template strings are safer than str.format() (demonstrated in the first source) and the other two methods (implied in the first source) when dealing with user input

I understand that the aforementioned vulnerability in str.format() comes from the method being usable on any normal strings where the delimiting braces are part of the string data itself. Malicious user input containing brace-delimited replacement fields can be supplied to the method to access environment attributes. I believe this is unlike the other ways of formatting where the programmer is the only one that can supply variables to the pre-formatted string. For example, f-strings have similar syntax to str.format() but, because f-strings are literals and the inserted values are evaluated separately through concatenation-like behavior, they are not vulnerable to the same attack (source B). Both %-formatting and Template strings also seem to only be supplied variables for substitution by the programmer; the main difference pointed out is Template's more limited functionality.

I have seen a lot of emphasis on the vulnerability of str.format() which leaves me with questions of what I should be wary of when using the other techniques. Source A describes Template strings as the safest of the above methods "due to their reduced complexity":

The more complex formatting mini-languages of the other string formatting techniques might introduce security vulnerabilities to your programs.

1. Yes, it seems like f-strings are not vulnerable in the same way str.format() is, but are there known concerns about f-string security as is implied by source A? Is the concern more like risk mitigation for unknown exploits and unintended interactions?

I am not familiar with C and I don't plan on using the clunkier %/printf-style formatting, but I have heard that C's printf had its own potential vulnerabilities. In addition, both sources A and B seem to imply a lack of security with this method. The top answer in Source B says,

String formatting may be dangerous when a format string depends on untrusted data. So, when using str.format() or %-formatting, it's important to use static format strings, or to sanitize untrusted parts before applying the formatter function.

1. Do %-style strings have known security concerns?
2. Lastly, which methods should be used and how can user input-based attacks be prevented (e.g. filtering input with regex)?
   • More specifically, are Template strings really the safer option? and Can f-strings be used just as easily and safely while granting more functionality?

I have a df in which I want to change certain columns type to date from datetime:

Starting with a string variable containing a Security Descriptor String Format, I convert this string to a security descriptor (using ConvertStringSecurityDescriptorToSecurityDescriptorW function).

This function gives me a "pointer" to a Security Descriptor (I put the pointer under quotation mark relative to this blog post).

Next, I recover a pointer to the DACL of the pointed Security Descriptor using GetSecurityDescriptorDacl function. From this DACL, I store all the ACEs into a vector of pointers to ACCESS_ALLOWED_ACE structures. Finally in these structures, there is my targeted member (SidStart) that I want to use to get a "translation" of the SID (for example with Well-Known SIDs, I want to translate "S-1-1-0" to a final user readable string like "Everyone").

However, SidStart only gives the first DWORD of a trustee's SID. The remaining bytes of the SID are stored in contiguous memory after the SidStart member (as documentation said). Despite my researches over the Internet, I can't figure it out to get theses remaining bytes.

Here is a minimum reproducible example in a C++ Console App:

I am parsing strings representing German-style numbers (i.e., decimal comma and optional full stop for grouping thousands), e.g., "2.804,13"; this is just done using a DecimalFormat based on my desired Locale:

I have a page set up with a grid: