Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!ub!boulder!stan!marvin!imp
From: imp@marvin.Solbourne.COM (Warner Losh)
Newsgroups: comp.lang.c
Subject: Re: What's so bad about scanf anyway???
Message-ID: <1990Nov12.050450.7194@Solbourne.COM>
Date: 12 Nov 90 05:04:50 GMT
References: <16582@netcom.UUCP> <VXogs2w163w@cybrspc>
Sender: news@Solbourne.COM
Organization: Solbourne Computer, Inc.
Lines: 19

In article <VXogs2w163w@cybrspc> roy%cybrspc@cs.umn.edu (Roy M. Silvernail) writes:
>It's better, IMHO, to gets() a whole line, check its validity and _then_ sscanf()

True.  However, I'd use fgets().  See below.

>It just makes things more bullet-resistant.

gets() is a bad function to use when you don't have total control over
the input (like a user typing at a program).  Since it can't check to
see if the input line is too large for the buffer, "bad things" can
happen as a result.  One vector of the Internet Worm/Virus/Whatever
used the fact that the finger daemon used gets and was running as
root to cause some trouble....

Warner

--
Warner Losh		imp@Solbourne.COM
How does someone declare moral bankruptcy?