Safer input in C
September 10, 2015
Why not to use scanf
scanf
is the standard method to get structured, formatted input in C.
The problems with scanf
are:
- While it is extremely powerful, it is not very robust when it comes to error recovery. It does tell you if it has succeeded or failed (through the return value) but basically, that’s all.
- Reading strings with
%s
has the same vulnerability asgets
- it does not check the size of your string, which may be longer than the input causing overflow. - It does not ignore whitespace. This means, that newlines are treated as characters. This is a problem when you are reading single
chars
. If the user enters a singlechar
and presses enter, a newline character ('\n'
) is also added to the buffer. Now when you try to read anotherchar
, the'\n'
is read.
A more detailed explaination is on c-faq.com.
An alternative
A quick search on stackoverflow showed that using fgets
to read strings is considered a good option.
To read ints
and floats
the sscanf
function can be used. sscanf
is a function used to take formatted “input” from strings.
fgets
has another quirk - it reads the '\n'
into the string too. This can be resolved by checking the last character.
Here’s how I implemented a read_line
function that reads strings of given size thus avoiding overflow.
This function can be used to implement a read_int
function that asks the user to re-enter the input if the input is invalid.