|
I specifically mentioned ostrstream , not streams in general. And it would be interesting to see how the streams in your case were being used, just to be sure that they were not being abused.
Peace!
-=- James.
"Some People Know How To Drive, Others Just Know How To Operate A Car."
(Try Check Favorites Sometime!)
|
|
|
|
|
After using them for a while, I basically came to the conclusion that these streams need to be redesigned fromt he ground up again. Nice start, but they have a lot of limitations (not to mention adding 50k to your program just so you can format a number).
Right tool for the right job. Printf works just fine.
Tim Smith
I know what you're thinking punk, you're thinking did he spell check this document? Well, to tell you the truth I kinda forgot myself in all this excitement. But being this here's CodeProject, the most powerful forums in the world and would blow your head clean off, you've got to ask yourself one question, Do I feel lucky? Well do ya punk?
|
|
|
|
|
Ok, my real point to all this really isn't about if streams are better than *printf. They both work just find but only a fool wouldn't see that streams are safer.
HOWEVER, my real point was that buffer overrun problems extend far outside the formatting of output and strings. Streams will go a long way to fixing these problems, but they won't even come close to correcting all buffer overrun problems.
Tim Smith
I know what you're thinking punk, you're thinking did he spell check this document? Well, to tell you the truth I kinda forgot myself in all this excitement. But being this here's CodeProject, the most powerful forums in the world and would blow your head clean off, you've got to ask yourself one question, Do I feel lucky? Well do ya punk?
|
|
|
|
|
I think you mean sprintf(...) , because the discussion is about buffer overruns...
And snprintf(...) is a simple way to prevent them.
Peace!
-=- James.
"Some People Know How To Drive, Others Just Know How To Operate A Car."
(Try Check Favorites Sometime!)
|
|
|
|
|
Tim Smith wrote:
ostringstream
As a MFC, ATL and WTL programmer I never use any streams at all. Although, I do use stl containers like map, list, set, and vector a lot.
John
|
|
|
|
|
at least use snprintf - to limit the number of chars to be put in the buffer.
-c
shh! the audience (and the NSA) is listening
|
|
|
|
|
We should definitely use appropriate C++ classes for dealing with memory when raw performance is not needed.
When raw performance is needed, though, there is no substitute for stack allocated C style arrays. And heap allocated C style arrays will still outperform any object oriented solution available today.
I have experimented in one of my libraries with CString, std::string and TCHAR arrays and there is no doubt that TCHAR arrays delivered the best performance by far and in this particular system, performance was/is far more important than OOP. It definitely requires more work to make sure that it is done right and does not overwrite memory or access deleted memory but when needed it's the only way to go.
|
|
|
|
|
I haven't worried at all about security yet since I haven't gotten even close to a release version.
- Matt Newman / Windows XP Activist
-Sonork ID: 100.11179
Could you Would you with a goat? - Dr Suess
|
|
|
|
|
|
Somewhat. I am trying to get the core of the program done first. However, say my program uses password autheticiation the CheckPassword() function doesn't do anything it just assumes it is okay and passes it on. When I get a functioning build (ie the starts doing it's function) I will make CheckPassword() actually check the password etc etc. For example the server I am working on accepts connections and nothing more so there isn't any need for security so far.
- Matt Newman / Windows XP Activist
-Sonork ID: 100.11179
Could you Would you with a goat? - Dr Suess
|
|
|
|
|
I really suggest that you read some book on security (e.g. Writing Secure Code, MS Press).
There is more to security programming than a CheckPassword() function. And since you mentioned a server, things like DoS and similar attacks come into mind.
Think about
Andreas
Vote against software patents in europe
|
|
|
|
|
Andreas Saurwein wrote:
There is more to security programming than a CheckPassword() function
I was just using that as an example.
I do have to worry about DoS etc but my server doesn't really do anything that could be exploited yet. I was mearly saying that my project is in it's infancy and is even close to exposing criticaly information.
Andreas Saurwein wrote:
Writing Secure Code, MS Press
Thanks for the book suggestion I will have to check that out.
- Matt Newman / Windows XP Activist
-Sonork ID: 100.11179
Could you Would you with a goat? - Dr Suess
|
|
|
|
|
When you work in a bank... security is always an issue... I´m really paranoid with security... just as my bosses
Mauricio Ritter - Brazil
Sonorking now: 100.13560 Trank
The alcohol is one of the greatest enemys of man, but a man who flee from his enemys is a coward.
|
|
|
|
|
I do GSM MO & BioMetric Solutions and security is really a big issue. Especially if you ship products worldwide!!
Empowerment through development. If the development only WANTS TO WORK!!
|
|
|
|
|
I think we've gomne a little paranoid on security. I can't believe the number of places that expect me to supply a password these days. I've gotten to the point now that, if someone expects me to set up an account and supply a password in order to upload shareware to their site, I simply say "no".
And I have a small set of passwords that I use for everything, along with a simple set of rules for deriving new ones. Maybe the security "experts" (parasites?) think this is a bad idea, but I have to live in the real world.
|
|
|
|
|
Jim I keep a simple text file on my PC that has been encrypted by one password using a simple app.
The text file contains all my accounts, Usernames/IDs and Passwords/ that I use.
Darn boring but it works,
All I have to remember is One Master Password and I have Access to the rest.
"Maybe I should make a proper App that does this" Because I find it so darn useful.
Regardz
Colin J Davies
Sonork ID 100.9197:Colin
More about me
|
|
|
|
|
There are actually a ton of password managers available for free that do this (even though I'm about to write one in C# just for the hell of it.) Search for "password managers" on Google and pick the one you like.
Kevin
|
|
|
|
|
I should have guessed they were already available.
Regardz
Colin J Davies
Sonork ID 100.9197:Colin
More about me
|
|
|
|
|
Kevin Stewart wrote:
There are actually a ton of password managers available for free that do this (even though I'm about to write one in C# just for the hell of it.) Search for "password managers" on Google and pick the one you like.
Maybe they have a backdoor
That would be a good reason to write one yourself
|
|
|
|
|
Many web sites don't seem to require an account not dor security, but for acquiring your e-mail address...
It's hard to scratch your ass when you sit on it. [sighist]
|
|
|
|
|
"None - we just don't care"
|
|
|
|
|
Most real security is real security not code.
Like leaving passwords lying arround, easy passwords,
File size checks. Logs etc.
Regardz
Colin J Davies
Sonork ID 100.9197:Colin
More about me
|
|
|
|
|
I'm always amazed by how easily people will tell you their passwords. It's just not something that's taken seriously in a good many cases.
--------
A common man's understanding of science. Not a normal common man's of course. A very smart common man's. -- Nish, on Science Writing
|
|
|
|
|
ring ring ..
"Hello I'm John CrazyHorse from the special security detail can I check your details for an investigation we are doing for your employer."
Actually hacking a network from the outside is quite difficult in comparisson.
I know a lot of IT departments spend small fortunes on techo stuff, when they should be training employees on the basics.
Regardz
Colin J Davies
Sonork ID 100.9197:Colin
More about me
|
|
|
|
|
Colin Davies wrote:
when they should be training employees on the basics
You mean the infamous don't be dumb course?
Cheers,
Simon
"Every good work of software starts by scratching a developer's personal itch.", Eric S. Raymond
|
|
|
|