开发者

why gets() is not working?

问答 作者:

I am programming in C in Unix, and I am using开发者_如何学JAVA gets to read the inputs from keyboard. I always get this warning and the program stop running:

warning: this program uses gets(), which is unsafe.

Can anybody tell me the reason why this is happening?

gets is unsafe because you give it a buffer, but you don't tell it how big the buffer is. The input may write past the end of the buffer, blowing up your program fairly spectacularly. Using fgets instead is a bit better because you tell it how big the buffer is, like this:

const int bufsize = 4096; /* Or a #define or whatever */
char buffer[bufsize];

fgets(buffer, bufsize, stdin);

...so provided you give it the correct information, it doesn't write past the end of the buffer and blow things up.

Slightly OT, but:

You don't have to use a const int for the buffer size, but I would strongly recommend you don't just put a literal number in both places, because inevitably you'll change one but not the other later. The compiler can help:

char buffer[4096];
fgets(buffer, (sizeof buffer / sizeof buffer[0]), stdin);

That expression gets resolved at compile-time, not runtime. It's a pain to type, so I used to use a macro in my usual set of headers:

#define ARRAYCOUNT(a) (sizeof a / sizeof a[0])

...but I'm a few years out of date with my pure C, there's probably a better way these days.

As mentioned in the previous answers use fgets instead of gets.

But it is not like gets doesn't work at all, it is just very very unsafe. My guess is that you have a bug in your code that would appear with fgets as well so please post your source.

EDIT Based on the updated information you gave in your comment I have a few suggestions.

  • I recommend searching for a good C tutorial in your native language, Google is your friend here. As a book I would recommend The C Programming Language

  • If you have new information it is a good idea to edit them into your original post, especially if it is code, it will make it easier for people to understand what you mean.

  • You are trying to read a string, basically an array of characters, into a single character, that will of course fail. What you want to do is something like the following.

    char username[256];
char password[256];
scanf("%s%s", username, password);

    Feel free to comment/edit, I am very rusty even in basic C.

EDIT 2 As jamesdlin warned, usage of scanf is as dangerous as gets.

man gets says:

Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security. Use fgets() instead.

gets() is unsafe. It takes one parameter, a pointer to a char buffer. Ask yourself how big you have to make that buffer and how long a user can type input without hitting the return key.

Basically, there is no way to prevent a buffer overflow with gets() - use fgets().

继续阅读:c

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9