https://www.secdev.uk/blog/tags/string-formatting/ Recent content in String Formatting on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 03 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-03-string-formatting-and-security/ Sat, 03 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-03-string-formatting-and-security/ <p>String formatting is one of those operations that&rsquo;s everywhere, and it&rsquo;s more dangerous than most developers realise when user input gets involved. Every language provides multiple ways to build strings from dynamic data, and each mechanism carries different security implications. From C&rsquo;s <code>printf</code> family, where a format string bug can read and write arbitrary memory, to Python&rsquo;s f-strings that can execute attribute lookups, the attack surface is broader than most people think. I wanted to map out the full landscape across languages, and what I found was that each mechanism breaks down in its own unique and sometimes surprising way.</p>