cross-posted from: https://lemm.ee/post/4890334
cross-posted from: https://lemm.ee/post/4890282
let’s say I have this code
` #include #include char name[50]; int main(){ fgets(name,50,stdin); name[strcspn(name, “\n”)] = ‘\0’; printf(“hi %s”, name); }
` and I decide my name is “ewroiugheqripougheqpiurghperiugheqrpiughqerpuigheqrpiugherpiugheqrpiughqerpioghqe4r”, my program will throw some unexpected behavior. How would I mitigate this?
- In almost all cases you want to be using some encapsulated string class (glib string, C++ string, something like that). The reason is that your question honestly doesn’t really have a good answer. I.e., if you’re storing the name in a statically-allocated char buffer, someone has a name that’s more than 50 characters, you’re screwed. “Screwed” can include all kinds of things up to and include crashing your program or introducing a way for people to enter a malicious name and take over your program.
- If you’re really set on doing this, e.g. you just want to do this learn about C memory management, then probably what you want is a dynamic buffer. Find out the length of the name before you allocate the place for it, use malloc() to get a buffer of the size you actually need, and put the string there. It’s highly unusual that in a modern application, doing this type of thing yourself is worth the effort and risk it creates though.
Hello, ewroiugheqripougheqpiurghperiugheqrpiughqerpuigheq,
The fgets function will only read in as many characters as you tell it to (50) in the second parameter, so the rest of the input will simply be lost and the name will be truncated.
And, mind you,
fgetsis the safer replacement to the originalgets, which attempts to read a variable-length line into a fixed-length buffer.The manual has this to say about
gets—BUGS Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer se‐ curity. Use fgets() instead.Why is this even still in the library 🥲
Twenty years ago it kind of made sense. Ok it’s bad, but sometimes we’re just reading a local file fully under our control, maybe from old code that the source doesn’t exist anymore for, it’s such a core function that taking it out however badly needed will have some negative consequences.
At this point though, I feel like calling it should just play a loud, stern “NO!” over your speakers and exit the program.
Why is this even still in the library 🥲
The linker will complain at you —
dumb.c:(.text+0x2f): warning: the `gets' function is dangerous and should not be used.
Can’t help with your code, but you should be aware of:
The first article is funny, because I moved from my native country to the one right next to it, and everybody is confused by my name. They have one given name and 2 family names, while I have 4 first names, and a compound last name.
No need to travel to the other side of the planet to meet a different culture of naming.
Not a name, but something else to be aware of which could also happen with names.
Wow. Almost worth changing my name again just to fuck with them.
Your going to have to read the input one piece at a time, allocating a bigger buffer as you go. (realloc is the way to go here) I recommend putting the input reading code in a function do you can easily use it multiple times.
