Why Is Escaping Data Considered So Magical?
Ian Kelly
ian.g.kelly at gmail.com
Fri Jun 25 20:25:04 EDT 2010
On Fri, Jun 25, 2010 at 5:17 PM, Nobody <nobody at nowhere.com> wrote:
> To be fair, it isn't actually limited to web developers. I've seen the
> following in scientific code written in C (or, more likely, ported to C
> from Fortran) for Unix:
>
> sprintf(buff, "rm -f %s", filename);
> system(buff);
Tsk, tsk. And it's so easy to fix, too:
#define BUFSIZE 1000000
char buff[BUFSIZE];
if (snprintf(buff, BUFSIZE, "rm -f %s", filename) >= BUFSIZE) {
printf("No buffer overflow for you!\n");
} else {
system(buff);
}
There, that's much more secure.
More information about the Python-list
mailing list