S
Seebs
Well it took over 200 posts to this newsgroup to explan the problems
with fgets(). Eventually the penny dropped, but even experienced
programmers like our FAQ maintainer were getting hot under the collar
and threatening to killfile. My conclusion is that most human
programmers aren't skilled enpugh to use fgets() safely and it takes
an unreasonably long time to train them to do so.
Huh?
You've stumped me. It's incredibly easy to use fgets() safely.
char buffer[80] = { '\0' };
fgets(buffer, 79, stdin);
Meanwhile gets() can be implemented safely, of course.
I don't see how this is possible.
Often it is
implemented with reasonable safety (safe except in the case of
malicious attack, which if the program is operating in an environment
where a C compiler is avialable, isn't a serious concern).
You say "often". This implies some sort of statistical information.
Please share with us how many implementations of gets() you've evaluated,
and in what way they have attained this "reasonable safety"? Please
also explain what you mean by "safe except in the case of malicious
attack".
I guess... Mostly, this just sounds like incredibly bad software design.
"Safe except in the case of malicious attack" is pretty pointless, since
a whole lot of software gets attacked. I also don't have any idea
what you mean by "if the program is operating in an environment where
a C compiler is available, isn't a serious concern."
Consider basically any Unix-like system. It will typically have a C
compiler available, and be running software which was written on C on
network ports. That is to say, it will be FULL of examples of software
written in C, operating in an environment where a C compiler is available,
and which could reasonably be an attack vector.
I feel like I'm listening to someone pointing out that it's ridiculous
to have your brakes checked because most of the time cars are used on level
surfaces, where brake failure isn't a serious concern.
-s