Strings and input

marales314 · 12-31-2004, 12:00 AM

When someone types in a string, like "hi I am Bill", how do you do something where you test to see if your string (array of characters) matches that?

Would it be something like: if msg[20] == "hi I am Bill" ?
I can't seem to get this to work.

leonscape · 12-31-2004, 12:07 AM

I presume where talking C?

Code:

if ( !strcmp( msg, "hi I am Bill" ) )
   //we have a match
else
   //No match

You need to check out The GNU C Library, specifaclly the String and Array Utilities section.

fr0zen · 12-31-2004, 12:33 AM

And if you happen to know the maximum size of the buffer, you might as well just use strncmp since it's a safer function.

Code:

char msg[20];
strcpy(msg, "Hi, My name is Bill.");

int result = strncmp( msg, "Hi, My name is Bill.", 20);
if(result == 0) 
 // the strings match
else if(result < 0)
 // the first string is "less" than the second
else if(result > 0)
 // the first string is "greater" than the second

itsme86 · 12-31-2004, 02:43 AM

Quote:

Originally posted by fr0zen
And if you happen to know the maximum size of the buffer, you might as well just use strncmp since it's a safer function.

How is strncmp() safer than strcmp()?

bigearsbilly · 12-31-2004, 04:55 AM

because it checks the size of the buffer before comparing.
this stops buffer over-runs which are a major source of
run-time crashes in C and best practice for program security.

If you read most linux security issues they are to do with buffer
overruns from using things like strcat instead of strncat etc.

billy

Hko · 12-31-2004, 06:54 AM

Quote:

Originally posted by bigearsbilly
because it checks the size of the buffer before comparing.
this stops buffer over-runs which are a major source of
run-time crashes in C and best practice for program security.

If you read most linux security issues they are to do with buffer
overruns from using things like strcat instead of strncat etc.

While this does sound logic, it's not really true in this case.

A buffer overrun occurs when the program writes past the end of the allocated buffer. But this is about strcmp(), which only reads 2 buffers. This is confirmed by the prototype of strcmp(): Both string parameters are declared as "const char *". The "const" specification ensures us the function will not write to the buffers.

Of course it is possible for strcmp() to read past the end of the buffer which may cause the program to crash with a segmentation fault. So you may think this introduces at least a Denial Of Service vulnerability in the program which can be prevented by using strncmp() instead of strcmp().

But think again: This can will only happen when the string in the buffer is not '\0'-terminated correctly. If this is the case, then this happened when the string-buffer was written i.e. read from user input, constructed with strcpy(), strcat(), gets() or the similar.

So a bug causing strcmp() to segfault is not in calling strcmp(), but before that, when the buffer was written.

Nontheless, using strncmp() instead of strcmp() cannot really harm. Only the performance may be slightly less. And in corner cases it may hide a real bug when a buffer is written by not segfaulting when a segfault would reveal the real buffer-bug somewhere else in the program where the buffer was written (as described above).

marales314 · 01-24-2005, 01:32 AM

wow! thank you.. Sorry I haven't responded to this, but it's exactly what I was wondering.