Using strings with contents that are supplied by users can be fraught with
peril; SQL injection is a well-known technique for attacking applications
that stems from that, for example. Generally, database frameworks and
libraries provide mechanisms that seek to lead programmers toward doing The
Right Thing, with parameterized queries and the like, but they cannot
enforce that—inventive developers will seemingly always find ways to inject
user input into places it should not go. A recently adopted Python
Enhancement Proposal (PEP) provides a way to enforce the use of
strings that are untainted by user input, but it uses the optional typing features
of the language to do so; those wanting to take advantage of it will need
to be running a type-checking program.

Source: LWN.net – [$] A literal string type for Python