From man gets
:
Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security. Use fgets() instead.
Almost everywhere I see scanf
being used in a way that should have the same problem (buffer overflow/buffer overrun): scanf("%s",string)
. This problem exists in this case? Why there are no references about it in the scanf
man page? Why gcc does not warn when compiling this with -Wall
?
ps: I know that there is a way to specify in the format string the maximum length of the string with scanf
:
char str[10];
scanf("%9s",str);
edit: I am not asking to determe if the preceding code is right or not. My question is: if scanf("%s",string)
is always wrong, why there are no warnings and there is nothing about it in the man page?
scanf
is unsafe. – aviraldgscanf("%s",...)
is unsafe. One more reference about this: c-faq.com/stdio/scanfprobs.html. I still don't understand how there is nothing about this in the man page. – dbarbosa