From: "Wavemaker" <wavemaker AT my-deja DOT com>
Newsgroups: alt.comp.lang.learn.c-c++,comp.os.msdos.djgpp,comp.programming
References: <MOqE5.2173$W31 DOT 29870 AT news1 DOT online DOT no> <8scg36$gsm$1 AT nnrp1 DOT deja DOT com> <39E9CF07 DOT 785C0C0F AT eton DOT powernet DOT co DOT uk> <8scls9$kth$1 AT nnrp1 DOT deja DOT com> <rgnjusgvadc5q9d53jticrrgdthc9af3lv AT 4ax DOT com> <39E9FAD5 DOT DE1FDAE4 AT eton DOT powernet DOT co DOT uk> <8sdrub$h7u$1 AT nnrp1 DOT deja DOT com> <39EAA40B DOT 31B0CA89 AT eton DOT powernet DOT co DOT uk> <8seoli$65v$1 AT nnrp1 DOT deja DOT com> <39EAF73E DOT ECA52E1A AT antlimited DOT com>
Subject: Re: Undertaking a programming journey
Lines: 32
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Message-ID: <QJJG5.4923$gX34.83689796@news.randori.com>
Organization: Randori News Inc. -- http://www.randori.com -- Reliable!
Date: Mon, 16 Oct 2000 15:35:54 -0500
To: djgpp AT delorie DOT com
DJ-Gateway: from newsgroup comp.os.msdos.djgpp
Reply-To: djgpp AT delorie DOT com


"Richard Heathfield" wrote:
> ChuckEasttom wrote:
> > Richard Heathfield wrote:
>
> > > Schildt is probably the primary reason that so many C programmers use
> > > gets().
> >
> > Ditto, whether you or I like it, that piece of code is part of the C
> > language.
>
> True, but it can never be used safely. The Internet Worm of 1988
> exploited gets()'s inherent weakness for malicious purposes. There's
> really no reason to deliberately introduce weaknesses and security holes
> into your code. Schildt has a responsibility, as a C populariser, to be
> aware of this problem and to guide people away from it. He has failed so
> to do.

To be fair, he does point this out in his book "C/C++ Programmer's
Reference." In his explanation of gets(), he adds a "Programming Tip" which
describes the dangers of using gets() and offers fgets(), specifying stdin
for the input stream, as an alternative.

Um... but then in the example code he gives for using fgets(), he repeats
the bug you pointed out in your earlier post with the example from "C - The
Complete Reference" by using printf() to print a string literal without
including the newline character or flushing the output stream after the
printf() call.