gets() not so bad

[nonoob]

Can the regulars here stop deriding & insulting professors who teach students to use gets()?

I use this function all the time. It's perfectly wonderful. Every program is likely to have way more places in them where things can blow up. The last thing a student of C needs to worry about is some orchestrated attack by someone who would exploit buffer overruns... Such users are not likely the audience for assignment project code.

Not every piece of code needs to be criminal-hacker proof. Just make sure the buffer is reasonably large. Say, a reusable buffer of 500 bytes for simple inputs.

[Babkockdood]

I just executed a simple program that uses gets. After execution GCC gave me, "warning: this program uses gets(), which is unsafe".

[quzah]

Can? Yes. Will? No. There's no reason to not switch to fgets. It's not like it's a hard change to make. Most people just show up and say "do this for me", anyway, so I'm not too worried about upsetting them or hurting their feelings.

Besides, why reinforce bad habits? Teach them right the first time, so you don't have to keep telling them the same thing over and over.


Quzah.

[Memloop]

It's broken by design. It should never have been in the C library to begin with, and teaching students to use it is a good way of making the students look incompetent when they start using it in code that other coders are going to look at. Besides, it's not like it requires much effort to use a function like fgets instead.

If I was a student I would be upset if my professor was teaching me to program in a way that would make me look like a fool to any other decent programmer.

[MK27]

I agree in principle that people should be free to take all the risks they want IF they understand them, esp. since even gets() could be used be used completely safely in some circumstances* IF you understand what the issue is (and as we know, it is a very simple issue). I do not think the "risk" here, for newbies, however, has anything to do with user exploitation.

AFAIK "gets" is the only standard function which the GNU linker issues a warning just for using (it actually says "never use gets" too), so this is not just something peculiar to the forum. I don't think I've ever told anyone not to use it. On the other hand, I do not see a purpose to the function at all -- you might as well just learn fgets() and be done with it, so it's probably for the best that people be shoo-ed away from it.

On the other (other) hand, that's kind of patronizing and does reflect an attitude that I find distasteful (excessive paranoia WRT to memory management, which I think once you are aware of the potential problems you can cause yourself, you can learn to deal with it -- I do not need to be protected from the potential stupidity of [some theoretical idiot] and I don't think anyone else does either).

BUT I think people have the right to an expressing an opinion, and you, nonoob, have the right to contradict it with your own. I do this here all the time. At some point, the newbie him/herself has to sort out who to trust, who not to, how, when, where, why. That's life! There's no point in shielding them from debate.

Just make sure the buffer is reasonably large. Say, a reusable buffer of 500 bytes for simple inputs.

Well, why not go for full disclosure and tell them a nice "power of 2" round number is the real ideal, say 1K or 2K or 4K.

* nb. I would never bother to do that myself, personally -- probably I am a product of cboard

[nonoob]

I was gonna say 256 or 512, actually. I allocate powers-of-two myself, just in case the compiler or memory allocator is happier that way.

[quzah]

I usually just use BUFSIZ. But hey, if you're going to start doing things the smart way, why are you still using gets?


Quzah.

[nonoob]

I just executed a simple program that uses gets. After execution GCC gave me, "warning: this program uses gets(), which is unsafe".

That's not the only function for which Microsoft Visual Studio C++ complains. I have to set the preprocessor definition CRT_SECURE_NO_DEPRECATE as per its recommendation to shut it up. It seems over the past few years, many of our well loved string and memory standard library functions have been declared as unsafe.

Maybe programmers are getting dumber and we need to have nice bubble-wrapped soft and cozy functions for everything to protect us.

[MK27]

I usually just use BUFSIZ. But hey, if you're going to start doing things the smart way, why are you still using gets?

Again, I don't, but I don't see any reason why you shouldn't if you understand the problem and it suits your purposes. Just not in production grade code please! (I'd assume the reason GNU ld has that warning is precisely that.)

Maybe programmers are getting dumber and we need to have nice bubble-wrapped soft and cozy functions for everything to protect us.

I find that super-paranoia irritating too -- I presume it is a product of certain workplaces, and for good reason (but that does not make it "true" or justified in a more pure and abstract sense).

[quzah]

The real problem with gets is that people use it, and then are immediately told to use scanf, and they start mixing them up and they can't figure out why their input doesn't work right all the time.


Quzah.

[Subsonics]

As you know the gets() man page have this to say about it:

SECURITY CONSIDERATIONS
... It is strongly suggested that the fgets() function be used in all cases. (See the
FSA.)

Even though the "risk" is definitely related to the context in which gets is used. I think it's normal that this is mentioned on a C programming board if someone seems to be unaware of it.

[rags_to_riches]

Yeah, let's let the ignorance continue. What could it possibly hurt?

[brewbuck]

The only reason a professor would suggest using gets() over fgets() is because he believes you are too stupid to understand how to call fgets(). In other words, you're admitting you are an idiot if you use gets().

You're learning how to program a computer, yes? Well, learn how to pass a freaking buffer size into a function.

[zacs7]

Unless you can predict their input data, then certainly don't ignore the fact they're using gets(). There's really no reason to use it, or ignore the fact someone else is using it. In most cases, it could be fixed by a simple regex find-and-replace. In VIM:

Code:

:%s/gets(\(.*\))/fgets(\1, sizeof(\1), stdin)/gc

And that took all of 5 seconds to come up with. Not only is there no reason for not using gets(), there's also no reason to leave it there.

[Bayint Naung]

Never mind. Next C standard will remove gets() function.
C1X - Wikipedia, the free encyclopedia