Linked by Eugenia Loli on Mon 5th Dec 2005 05:39 UTC
General Development Strings - such as command-line arguments, environment variables, and console input - are of special concern in secure programming because they comprise most of the data exchanged between an end user and a software system. This chapter covers the security issues with strings and how you can sidestep them.
Thread beginning with comment 68829
To read all comments associated with this story, please click here.
RE: Toolkits
by rayiner on Mon 5th Dec 2005 07:00 UTC
rayiner
Member since:
2005-07-06

Buffer overflows are common because the C standard library sucks. Not only does it not have a standard string type, but it has very poor tools for manipulating strings, and sequences in general.

Most developers tend to use whatever functions come bundled with the language. You'll not often see someone add a dependency to GTK+, for example, unless they're actually writing a GTK+ application. As a result, most applications that have no GUI tend to use the built-in C routines, and those suck very badly.

Reply Score: 4

RE[2]: Toolkits
by evangs on Mon 5th Dec 2005 07:18 in reply to "RE: Toolkits"
evangs Member since:
2005-07-07

Not to mention the fact that the geek community will be up in arms when they see that your program has a dependency on GTK+ ) when it doesn't really use anything else apart from GString. Imagine all the cries of bloat you'll be getting.

Reply Parent Score: 4

RE[3]: Toolkits
by miffe on Mon 5th Dec 2005 08:44 in reply to "RE[2]: Toolkits"
miffe Member since:
2005-07-06

Not to mention the fact that the geek community will be up in arms when they see that your program has a dependency on GTK+ ) when it doesn't really use anything else apart from GString. Imagine all the cries of bloat you'll be getting.

Which is why most non graphic stuff in GTK+ is acctually in glib. So the programmers should just link with that, not the full GTK.

Reply Parent Score: 3

RE[2]: Toolkits
by Richard James on Mon 5th Dec 2005 08:19 in reply to "RE: Toolkits"
Richard James Member since:
2005-07-07

C development (of the language, not in the language) is pretty much deprecated and replaced by C++. This is why these things have never been fixed. Someone really needs to sit down and write a new C specification and stop expecting developers to not use C because somewhere, somebody is programming in it right now.

Saying that the developers should change to another language or that they should use other libraries to make safe code is stupid, because it is not going to happen. People write in C because it works for their project, not because they have never seen another language before.

Reply Parent Score: 2

RE[3]: Toolkits
by nimble on Mon 5th Dec 2005 09:40 in reply to "RE[2]: Toolkits"
nimble Member since:
2005-07-06

People write in C because it works for their project

The question isn't whether it works at all, but whether higher-level languages wouldn't work better for them. Especially later on when the project has to be maintained and extended.

not because they have never seen another language before.

..., but because they're most familiar with C and aren't sure about going with something new. Perfectly natural, if regrettable.

Reply Parent Score: 3