Why is the gets function dangerous?

This is a discussion on Why is the gets function dangerous? within the C Programming forums, part of the General Programming Boards category; Greets all, I've started reading many c books in the past few weeks, and have been enjoying learning them. I ...

  1. #1
    Registered User
    Join Date
    Sep 2002
    Posts
    18

    Why is the gets function dangerous?

    Greets all,

    I've started reading many c books in the past few weeks, and have been enjoying learning them. I followed this one example from a c book, whick demonstrates the system function which is as follows:

    Code:
    /*This demonstrates the system function*/ 
    #include <stdio.h> 
    #include <stdlib.h> 
     
    int main() 
    { 
        
       /*declare a buffer to hold input*/ 
       char input[40]; 
        
       while(1) 
       { 
         
          puts("\nEnter a system command, blank to exit"); 
          gets(input); 
           
          /*Exit if input == null*/ 
          if(input[0] == '\0') 
          exit; 
     
          /*execute command*/ 
          system(input); 
       } 
       return 0; 
    }
    Now, it compiles and works fine, but while compiling it say's:

    /tmp/ccWRQUCs.o(.text+0x28): the 'gets' function is dangerous and should not be used.
    so i got curious, and didn't set and array size for input, and left it as -

    Code:
    char input[];
    and the message about the gets function was not printed onscreen while compiling.

    Why does it stop printing the gets warning when not setting a size for input? Why is the gets command so dangerous?


    Thankyou very much for your time.
    Regards,
    Kevin.j

  2. #2
    Just because ygfperson's Avatar
    Join Date
    Jan 2002
    Posts
    2,493
    gets() is dangerous because it is possible for the user to crash the program by typing too much into the prompt. it can't detect the end of availiable memory, so if you allocate an amount of memory too small for the purpose, it can cause a seg fault and crash. sometimes it seems very unlikely that a user will type 1000 letters into a prompt meant for a person's name, but as programmers we need to make our programs bulletproof. (it may also be a security risk if a user can crash a system program by sending too much data).

    fgets() allows you to specify how many characters are taken out of the standard input buffer, so they don't overrun the variable.

  3. #3
    Registered User
    Join Date
    Sep 2002
    Posts
    18
    Thankyou for your time & a quick responce.

    So having the gets() will always be a potential hazard which could lead to a buffer overflow as it doesn't detect the end of availiable memory...

    fgets() allows you to specify how many characters are taken out of the standard input buffer, so they don't overrun the variable.
    I will keep that in mind.

    Thank you,
    Regards,
    Kevin

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Undefined Reference Compiling Error
    By AlakaAlaki in forum C++ Programming
    Replies: 1
    Last Post: 06-27-2008, 12:45 PM
  2. Screwy Linker Error - VC2005
    By Tonto in forum C++ Programming
    Replies: 5
    Last Post: 06-19-2007, 03:39 PM
  3. Message class ** Need help befor 12am tonight**
    By TransformedBG in forum C++ Programming
    Replies: 1
    Last Post: 11-29-2006, 11:03 PM
  4. Game Pointer Trouble?
    By Drahcir in forum C Programming
    Replies: 8
    Last Post: 02-04-2006, 02:53 AM
  5. Question..
    By pode in forum Windows Programming
    Replies: 12
    Last Post: 12-19-2004, 07:05 PM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21