{"id":1117,"date":"2014-12-13T00:01:35","date_gmt":"2014-12-13T08:01:35","guid":{"rendered":"http:\/\/c-for-dummies.com\/blog\/?p=1117"},"modified":"2014-12-20T07:36:27","modified_gmt":"2014-12-20T15:36:27","slug":"a-foolish-way-to-read-a-string","status":"publish","type":"post","link":"https:\/\/c-for-dummies.com\/blog\/?p=1117","title":{"rendered":"A Foolish Way to Read a String"},"content":{"rendered":"<p>Back in the old days, the obvious and logical way to read a string was to use the <em>gets()<\/em> function, where <em>gets<\/em> stands for &#8220;get string.&#8221; That makes sense, but only a hardy fool would use that function today.<br \/>\n<!--more--><br \/>\nThe <em>gets()<\/em> function was cousin to the <em>getchar()<\/em> function. They&#8217;re input functions, similar to to <em>puts()<\/em> and <em>putchar()<\/em>, which are output functions. The <em>getchar()<\/em>, <em>putchar()<\/em>, and <em>puts()<\/em> functions are still actively used, whereas the <em>gets()<\/em> function has been deprecated.<\/p>\n<blockquote><p>A <em>deprecated<\/em> function was once a valid part of the C Library, but its use is now discouraged. The thought is that eventually the function will disappear, so programmers are encouraged to use something else, typically a newer function or some other alternative.<\/p><\/blockquote>\n<p>The problem with <em>gets()<\/em> is that it doesn&#8217;t measure input; it lacks <em>bounds checking<\/em>. So it&#8217;s possible to stuff 200 characters of input into storage for a 64-character string. What happens to the extra 136 characters? Why, they&#8217;re loaded into memory, stomping over whatever is already there.<\/p>\n<p>Clever and admittedly evil programmers exploited the <em>gets()<\/em> function&#8217;s weakness to code malicious software. Because of that, millions of lines of code &#8212; including code in every major operating system &#8212; were examined to find and remove every <em>gets()<\/em> statement.<\/p>\n<p>You can still use <em>gets()<\/em> today, although I don&#8217;t recommend it. Here&#8217;s sample code:<\/p>\n<pre class=\"screen\">\r\n#include &lt;stdio.h&gt;\r\n\r\nint main()\r\n{\r\n    char buffer[32];\r\n\r\n    printf(\"Type something: \");\r\n    gets(buffer);\r\n    printf(\"You typed '%s'\\n\",buffer);\r\n\r\n    return(0);\r\n}<\/pre>\n<p>The <em>gets()<\/em> function at Line 8 reads standard input. The characters typed &#8212; up to but not including the Enter key &#8212; are stored in the <em>char<\/em> array <code>buffer<\/code>.<\/p>\n<p>If you build the code, you might see a warning, although not every compiler displays that warning.<\/p>\n<p>When you run the code, you may see something like this:<\/p>\n<pre><code>warning: this program uses gets(), which is unsafe.<\/code><\/pre>\n<p>Then the program runs, reading a string and then displaying the string.<\/p>\n<p>Of course, if you type more than 32 characters, who knows where they go or how the code is affected?<\/p>\n<p>The Bad Guys would input binary data or executable code. Sometimes they&#8217;d load hundreds of thousands of bytes of data, knowing that it would overwrite something in memory that they could exploit. That sounds difficult to do, but as history shows, the process was successful and many systems were infected.<\/p>\n<p><a href=\"http:\/\/c-for-dummies.com\/blog\/?p=1120\">Next Lesson<\/a> I&#8217;ll review some popular and unpopular alternatives to the <em>gets()<\/em> function.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>C has a history of misunderstanding strings. <a href=\"https:\/\/c-for-dummies.com\/blog\/?p=1117\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-1117","post","type-post","status-publish","format-standard","hentry","category-main"],"_links":{"self":[{"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1117"}],"version-history":[{"count":8,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1117\/revisions"}],"predecessor-version":[{"id":1145,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1117\/revisions\/1145"}],"wp:attachment":[{"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/c-for-dummies.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}