Add Native Safe SQL String Interpolation to Python (SQL-f-strings)

[sushantkr1187]

Feature or enhancement

Proposal:

import mysql.connector as SQL
mycon=SQL.connect(host='localhost',user='root',password='sa123',database='test_404')
if mycon.is_connected():
    name=input('Name: ')
    phone=int(input('Mobile No.: '))
    cur=mycon.cursor()
    cur.execute(f'INSERT INTO TEMP VALUES(1,\'{name}\',{phone})')
    mycon.commit()
mycon.close()

Introduce a standardized, safe, and ergonomic way to construct SQL queries using f-string-like syntax while preserving parameterization and protection against SQL injection.

Proposed Solution

Introduce a new SQL-aware formatted string literal, for example:

cursor.execute(sqlf"INSERT INTO TEMP VALUES(1,\'{name}\',{phone})")

Under the hood, Python would:

• Extract embedded expressions
• Convert them into parameters
• Generate a driver-compatible query
• Pass parameters safely to the database driver

Benefits

• Prevents SQL injection by design
• Improves readability and developer productivity
• Reduces boilerplate
• Standardizes parameter style across drivers
• Helps beginners write secure database code

Backward Compatibility

No breaking changes. This would introduce a new literal form or library feature.

Has this already been discussed elsewhere?

No response given

Links to previous discussion of this feature:

No response

[ronaldoussoren]

The requested feature can be build as a library on PyPI using t-strings as introduced in Python 3.14 (see https://peps.python.org/pep-0750/).

Adding standard library support for using SQL with t-strings would require discussion on https://discuss.python.org/c/ideas/6.