1

In the computer lab at school we wrote a program using fputs and the compiler returned an error gets is a dangerous function to use and a similar error for fputs

but at home when i type in this bit of code:

#include <stdio.h>
main()
{
    FILE *fp;
    char name[20];
    fp = fopen("name.txt","w");
    gets(name);

    fputs(name,fp);
    fclose(fp);
}

i get no errors what so ever. The one at school was similar to this one, just a bit lengthy and having more variables.
I use codeblocks at home and the default gcc provided with fedora at school.
Could it be a problem with the compiler?

tarashish
  • 1,945
  • 21
  • 32
  • 2
    Possible duplicate of http://stackoverflow.com/questions/2843073/warninggets-function-is-dangerous – Timothy Jones Jan 19 '12 at 06:17
  • 8
    Thats why home is better than school :) – Mahesh Jan 19 '12 at 06:18
  • 2
    The school's lab environment may have been configured so that GCC compiles at a higher warning level than your setup. In any case, it's best to heed the warning. – In silico Jan 19 '12 at 06:20
  • 1
    Twxo important rules of thumb when you are a newbie: trust the compiler (it is very rarely wrong!) and ask it to give all warnings (with `gcc -Wall`). Most real programmers improve their code till no warnings is given. – Basile Starynkevitch Jan 19 '12 at 06:20
  • Sounds like someone is playing god on the school machines. It would be better if they tried to educate instead. It is better to teach you how to fish than to just give you a fish. (Better to teach you why they think these things are bad than to prevent you from learning outright). – old_timer Jan 19 '12 at 06:21
  • FYI **`gets` is so dangerous that it has been removed from the latest C standard**. Never, never, never use it. It is a relic from the past of the first C on Unix in the 1970-s. But `puts` is safe to use. – Basile Starynkevitch Jan 19 '12 at 06:22
  • 4
    @BasileStarynkevitch, I actually go _further_ than that and use `gcc -Wall -Wextra` since I found out `gcc` was a pathological liar about the definition of "all" :-) – paxdiablo Jan 19 '12 at 06:27
  • See for yourself, After compiling run `echo {0..100} | tr -d ' './a.out` – Shiplu Mokaddim Jan 19 '12 at 07:09

5 Answers5

2

With gets you need exactly know how many characters you will read and accordingly use a large enough buffer. If you use a buffer which is lesser than the contents of the file you read, you end up writing beyond the bounds of your allocated buffer and this results in an Undefined Behavior and an Invalid program.

Instead you should use fgets which allows you to specify how much data to read.

You don't get any errors because most likely your allocated buffer name is big enough to hold the contents of you file name.txt but if it was not then its a problem and hence the compiler issues the warning.

Alok Save
  • 202,538
  • 53
  • 430
  • 533
1

The other answers have all addressed gets, which is really and truly dangerous.

But the question also mentioned fputs. The fputs function is perfectly safe; it does not have these kinds of security concerns.

I believe the OP was probably mistaken in suggesting that the compiler had warned about fputs.

Steve Summit
  • 45,437
  • 7
  • 70
  • 103
1

gets is certainly dangerous since there's no way to prevent buffer overflow.

For example, if your user entered 150 characters, that would almost certainly cause problems for your program. Use of scanf with an unbounded "%s" format specifier should also be avoided for input you have no control over.

However, the use of gets should not be an error since it complies with the standard. At most, it should be a warning (unless you, as the developer, configures something like "treat warnings as errors").

fputs is fine, not dangerous at all.

See here for a robust user input function, using fgets, which can be used to prevent buffer overflow.

Community
  • 1
  • 1
paxdiablo
  • 854,327
  • 234
  • 1,573
  • 1,953
1

It would just be the different settings of the different compilers. Maybe the compiler that Codeblocks uses isn't as verbose or has warnings turned off.

Regardless of the compiler they are dangerous functions to use as they have no checks for buffer overflow. Use fgets or fputs instead.

Sean Dawson
  • 5,587
  • 2
  • 27
  • 34
0

As for problems, there isn't any problem with any of the compilers. If you look at the link provided by Timothy Jones, you would understand why this warning is issued. As for different versions of compiler, compilers are configured differently to issue different levels of warning.

Shamim Hafiz - MSFT
  • 21,454
  • 43
  • 116
  • 176