Using locals() and format() method for strings: are there any caveats?

Question

Are there any disadvantages, caveats or bad practice warnings about using the following pattern?

def buildString(user, name = \'john\', age=22):
    userId =         


        

Answer 1

Pre Python 3.6 answer

This is very old, but if you find yourself using .format the one caveat I have encountered with passing in **locals is that if you don't have that variable defined anywhere, it will break. Explicitly stating what variables are passed in will avoid this in most modern IDEs.

foo = "bar"
"{foo} and {baz} are pair programming".format(**locals())
<exception occurs>

Answer 2

If the format string is not user-supplied, this usage is okay.

format is preferred over using the old % for string substitution.
locals is built-in to Python and its behavior will be reliable.

I think locals does exactly what you need.
Just don't modify the dictionary from locals and I would say you have a pretty good solution.

If the format string is user-supplied, you are susceptible to injection attacks of all sorts of badness.

Answer 3

There is now an official way to do this, as of Python 3.6.0: formatted string literals.

It works like this:

f'normal string text {local_variable_name}'

E.g. instead of these:

"hello %(name)s you are %(age)s years old" % locals()
"hello {name}s you are {age}s years old".format(**locals())
"hello {name}s you are {age}s years old".format(name=name, age=age)

just do this:

f"hello {name}s you are {age}s years old"

Here's the official example:

>>> name = "Fred"
>>> f"He said his name is {name}."
'He said his name is Fred.'
>>> width = 10
>>> precision = 4
>>> value = decimal.Decimal("12.34567")
>>> f"result: {value:{width}.{precision}}"  # nested fields
'result:      12.35'

Reference:

• Python 3.6 What's New
• PEP 498
• Lexical analysis description