strcmp();

**anonytmouse** · 05-02-2004

OK, I'll justify myself.

Code:

scanf("%s%s",string1,string2);

is the slightly slower equivalent* of:

Code:

gets(string1);
gets(string2);

* Actually, gets() stops at a newline while scanf stops at whitespace.

However, gets() is less dangerous because:

Some compilers will warn about the danger of gets().
gets() will be picked up by other coders while the _scanf bug will often be missed. This is demonstrated by this forum. Use of gets() is commented on immediately while the _scanf bug regularly goes without comment, even when highly experienced programmers have posted comment on the code.
Code and security reviews are more likely to miss the improper scanf usage.
Employers are more likely to employ people who can't use scanf than people who use gets().
Documentation for gets() usually explicitly points out the risk. This is not the case for _scanf, although MSDN does get it right.
The dangers of gets() are in the faq, as far as I can tell, _scanf does not get the same treatment.

To use _scanf safely with strings, you must specify a width, one less than the size of the buffer.

Code:

scanf("%98s%98s",string1,string2);

If you don't, you should use gets() as it is safer.

**quzah** · 05-02-2004

I believe the point was, that with the addition of the letter f, you could have saved yourself the hassle of explaining why you think gets is a good choice.

Quzah.

**xddxogm3** · 05-02-2004

Just to kill the argument,
I used fgets and sscanf in the actual program.
I wanted to use strcmp(); but it was faulty for what I wanted.
I needed to compare the full string instead of a sequential testing.
It would kick out of the comparison as soon as the string differed.
I needed it to test a double value that was stored in a string array.
Instead of using strcmp I converted the strings to doubles with atof().
After tuesday I will post my final code for people to critique.

**WaltP** · 05-03-2004

Originally Posted by anonytmouse

OK, I'll justify myself.
...
However, gets() is less dangerous because:
...

So the reason gets() is better is because more people will jump down your throat faster and tell you why it's wrong?!??

Save the aggravation and start with fgets() in the first place! Sheesh, justification...

**Stack Overflow** · 05-03-2004

Well,

Personally sure use gets() if you want, but now if you want to be open to hackers using the best advantage of it to overflow your buffer or write whatever they want to it etc... sure use it.

scanf() also has its ups and downs thats why its best you flush the stdin stream and use fgets() allowing YOU to set the size the max number of bytes to read.

Only reason why experienced programmers have concerns is either because 1) it happened to them before, or 2) They know what can happen, or lastly 3) If someone writes a poor code, why keep using it?

I do understand how some programmers are trying to help the beginners, but sometimes the way they deliver the statement sounds more like a "better do or die" situation. If you look beyond that and see what they are really trying to say you shouldn't have to worry to much about the front cover "WARNING: DON'T USE" scare.

Likewise in my opinion, I say use fgets() as much as you can:

char buffer[256];

fflush(stdin);
fgets(buffer, sizeof(buffer), stdin);

scanf() and gets() are not in my recommendation, though scanf() isn't that bad if you are dealing with an integer cast type.

Remember this is just my opinion, so feel free to post yours just don't blast mine

Hope this helps,
- Stack Overflow

**nonpuz** · 05-03-2004

fflush(stdin); is undefined behavior stack overflow...maybe you should read the faq yourself?

Thread: strcmp();

Thread Tools

Search Thread

Display

Similar Threads

Fucntion returns -1, Why?

help with switch statement

problem with strings

help with strcmp

strcmp