Hello all,

I have been using the gets() function in combination with the printf() function to obtain input from the user. This made the checking of acceptable input data relatively easy, however I was reading in Bjarne Stroutstrup's book, "Programming Principles and Practice Using C++" that the gets() function should never be used. He states the following:

"Together with its close cousin scanf("%s"), gets() used to be the root cause of about a quarter of all successful hacking attempts. It is still a major security problem."

"Thus, gets() almost certainly leads to memory corruption (of the bytes after the buffer), and memory corruption is a major tool of crackers."

I write small programs (500 - 2000) lines of code for my own use to aide in the design of process equipment. I am not concerned about security breaches. The memory corruption is not something I totally understand. I have been using these programs for sometime without any problems.

So my questions are;

Should I remove all of the gets() functions and use getline()?

Are my programs so small that the editorial above does not even apply?

Has anyone encounted memory corruption?

Thanks
Matt

...I have been using these programs for sometime without any problems...As long as the input string is not too large for the size of the char array that the gets() function uses, you won't have problems.

However...

There is no way (and I mean it: no way) to guarantee that the buffer will never overflow if you use gets(...) or scanf("%s",...) to read strings from user input (or file input).

[/Begin Editorial Comments]
Someday, in some way, somehow, in some manner, you may find that improper user input will cause the buffer to overflow. See Footnote.


Should I remove all of the gets() functions and use getline()?I wouldn't take it on myself to tell other people what they should do, but I ask you to consider this: If there are methods that, when properly applied, absolutely guarantee no buffer overflow and there are other methods for which it is impossible to guarantee that a buffer can't overflow, which would you rather use? Not just now, not just for "small programs" for your own personal use, but as a part of habitually developing and using good programming practices. Hmmm?

For C programs, you can use fgets() in such a way that there is no buffer overflow, but there is the (to some people) annoying fact that the presence of the newline character in the input buffer after using fgets() sometimes has to be taken care of. Personally, I can't imagine that I would sacrifice safety in order to avoid the very minor task of getting rid of the newline character (which might not even be necessary at all in many circumstances).

For C++ programs I have to ask why the heck anyone would be reading stuff into arrays of chars anyhow. I mean, you can use the istream getline() member function to read safely into char arrays, but why not use std::string objects? The global getline() function works nicely with them. The string object won't overflow, and you don't have to worry about whether there is a newline character that may have to be handled (there won't be).

Using fgets or getline won't guarantee that the program behaves correctly, of course, but they can guarantee that user input can't cause buffer overflow and the subsequent and dreaded "undefined behavior," which is the source of bugs that may be difficult to track down. Even if you aren't worried about hackers deliberately trying some kind of exploit, why leave the program open to this particular kind of misbehavior? It simply is not called for.


Are my programs so small that the editorial above does not even apply? I can't imagine what the size of the program has to do with it. I have seen many, many (many) small programs that are incredibly bad (and not just because they use scanf or gets).

[/End Editorial Comments]

Bottom line: Safe or unsafe? That is the question. The answer is up to you.


Regards,

Dave

Footnote: People seem to think that Murphy's law has something to do with being unlucky. Well, it doesn't. It just means that if your programs are open to misbehavior then somehow, someday, someway, they will fail.

Thanks for the comments.

Even if you aren't worried about hackers deliberately trying some kind of exploit, why leave the program open to this particular kind of misbehavior? It simply is not called for.

I agree.

At the time I started using gets() I didn't know there was any problem with it, now that I know of the problems with it I will no longer use it in my programs.

Thanks
Matt