Why Is Escaping Data Considered So Magical?
Kushal Kumaran
kushal.kumaran+python at gmail.com
Mon Jun 28 00:54:23 EDT 2010
On Mon, Jun 28, 2010 at 2:00 AM, Jorgen Grahn <grahn+nntp at snipabacken.se> wrote:
> On Sun, 2010-06-27, Lawrence D'Oliveiro wrote:
>> In message <roy-854954.20435125062010 at news.panix.com>, Roy Smith wrote:
>>
>>> I recently fixed a bug in some production code. The programmer was
>>> careful to use snprintf() to avoid buffer overflows. The only problem
>>> is, he wrote something along the lines of:
>>>
>>> snprintf(buf, strlen(foo), foo);
>>
>> A long while ago I came up with this macro:
>>
>> #define Descr(v) &v, sizeof v
>>
>> making the correct version of the above become
>>
>> snprintf(Descr(buf), foo);
>
> This is off-topic, but I believe snprintf() in C can *never* safely be
> the only thing you do to the buffer: you also have to NUL-terminate it
> manually in some corner cases. See the documentation.
>
snprintf goes to great lengths to be safe, in fact. You might be
thinking of strncpy.
--
regards,
kushal
More information about the Python-list
mailing list