|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: % stdout?
From: Philip Guenther (guenther
gmail.com)
Date: Thu Nov 09 2006 - 11:23:35 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 11/9/06, Cassio B. Caporal <cassioostec.com.br> wrote:
> I have problems to print '%' in stdout... Suppose code below:
>
> #include <stdio.h>
>
> main() {
> char foo[] = "bar=30%\n";
> fprintf(stdout, bar);
When posting code, please cut-and-paste it into your message, as the
above code won't compile. I presume you meant to write:
fprintf(stdout, foo);
That passes 'foo' as the format argument to fprintf(). The format
argument is a compact description of what should be output and *NOT*
simply a string to be output. If you want to simply output a literal
string you should *not* pass that string as the format to fprintf, but
rather pass a format saying "just output the next argument as a
string" and pass the string as the next argument, ala:
fprintf(stdout, "%s", foo);
If the string being printed is under the control of an outside party,
then it is *critical* that you do something like the above to avoid
security holes.
IMHO, you should never invoke fprintf() with exactly two arguments,
nor printf() with exactly one argument. Either use a format of "%s"
or switch to fputs()/puts().
(...though you have to reverse the order of the arguments when going
from fprintf() to fputs()...)
Philip Guenther
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]