Comments by "Anony Mousse" (@anon_y_mousse) on "why do hackers love strings?" video.

  1. Most important message to be conveyed here, never trust user input. Always check it, always restrict what you do with it.
    2200
  2.  @rockytom5889  I think it's definitely overused, but it can be useful when used effectively. Most C++ programmers do it wrong, but you can do OOP in any language and most C programmers who write OO code do it right.
    6
  3.  @oxycodin2253  C++ inherited C's standard library, so any vulnerabilities that exist in the library, such as the obvious ones like getc() and scanf() and all the rest are also in C++. As for the language sans library, the only vulnerabilities are introduced by the programmer and exist for C++ too.
    6
  4.  @rockytom5889  Yep, even after all these years I still read man pages. Although, I don't have the best memory, so I kind of have to, but even for people who are less forgetful it's a good idea.
    5
  5.  @deang5622  Aside from there being more than one type of array, you didn't read my comment all the way to the end.
    3
  6.  @deang5622  Okay, you claim you read to the end yet still focus on the portion where I mentioned libraries ignoring the portion at the end where I mentioned the languages sans library. Do you know what sans means? Or are you contending that because this error is possible in nearly every language that it doesn't apply?
    3
  7.  @monad_tcp  That's okay, the compiler doesn't trust your code either.
    3
  8.  @TheCustomFHD  Depends on how you're reading it in. From the command line it'll generally be safe, but if someone used exec*() to start your program then you can't really trust the command line entirely, that's another paragraph if you're curious. If you read user input directly, fgets() is generally a good and safe method then use all the str*() parsing functions or sscanf(), just remember that if the line is super long it won't have a \n at the end of the buffer, and you could always use fgetc() and read a character at a time and buffer it yourself. A resizable buffer is a good idea then, but maybe restrict the user to 32k for your sanity. Reading characters instantly is a whole other ball of wax and you could use ncurses or some platform specific API.
    2
  9.  @afelias  Heh, good ol' Bobby Tables.
    2
  10.  @HrHaakon  So check user input then wrap it up, potentially in another allocation, just to indicate that you've checked it? No, you should only be taking user input at a few known points in your program, if more than one, and thus should only need to check it in that/those location(s). Don't add unnecessary complexity.
    2
  11.  @ragnarok7976  Yep, and that's one advantage of a GUI over a [CT]?UI. However, if you need to save configuration data or you're not implementing a GUI, you would then have to handle user input with tricky validation code. Of course, when you consider how that input is gathered by the system, it's not so much that only valid input is accepted but rather invalid input is ignored.
    1
  12.  @HrHaakon  Well, for starters, you're talking about C++, not C, but it's also unnecessary complexity, regardless of which language you're using, and annoying for anyone to use. The novice won't be able to set it up, and the experienced programmer won't need it.
    1
  13.  @HrHaakon  We're talking about programming languages here, and in this context words have specific meanings. You can't just apply class to a discussion relating to languages which don't provide any utilities for creating them. What you should have said is module, which C does have a definition for, and as such would make more sense in the general case as it will apply to nearly every language. However, that said, what you're talking about in that prior post is completely pointless because as I've already stated, you'll just be adding unnecessary complexity that a newbie won't be capable of setting up yet and a pro won't need.
    1
  14.  @HrHaakon  This whole channel mostly focuses on C or Rust, and neither has classes, and from what the propagandists keep telling me, Rust doesn't need help in that regard. And no, don't give me that BS about it being that simple because strings in C are not that simple and there are further implications to obscuring any string type, especially when you're using a language like C.
    1