strstr()C ++的安全版本? [英] A safe version of strstr() C++?
问题描述
我必须通过项目代码运行Parasoft C ++ Static Analysis。我的代码(即strstr)上的子字符串函数不断被标记为我应该修复的警告,并且有很多它们。警告如下:
不得使用库< cstring>的'strstr'功能
我怀疑这是因为我应该使用更安全的方式来实现子串逻辑。是否有strstr函数的安全版本? (即strcpy_s而不是strcpy /甚至strncmp而不是strcmp)我似乎没有在其他任何地方找到任何提及。
任何有修复/想法的人?
谢谢。
---------------- -----
查看提供的评论/解决方案后的详细说明:
代码实际上使用了strstr字符指针重载函数。我想这就是为什么Parasoft在抱怨?我想我可以尝试使用std :: strings,但我试图避免更改代码,因为它最初不是由我编写的。
it不是错误,而是来自Parasoft的警告。
确切的警告声明库的'strstr'功能< cstring>不得使用
调用此警告的代码可能是:
char * line1 = somebuffer;
char * line2;
line2 = strstr(line1,\ n); //在这里调用警告。
Hi,
I have to run Parasoft C++ Static Analysis through my project code. The substring functions on my code (i.e. strstr) keep getting flagged out as a warning that I should fix, and there are lots of them. The warning reads:
"The 'strstr' function of library <cstring> shall not be used"
I suspect it's because I should be using a safer way to implement substring logic. Is there a safe version of the strstr function? (i.e. strcpy_s as opposed to strcpy / or even strncmp instead of strcmp) I don't seem to find any mention of this anywhere else.
Anyone with a fix/idea?
Thanks.
---------------------
Elaboration after looking at the comments/solutions offered:
The code actually uses the strstr character pointer overloaded functions. I suppose that's why Parasoft is complaining? I suppose I could try using std::strings instead but I'm trying to avoid changing the code too much since it wasn't originally written by me.
it isn't an error, but rather, a warning from Parasoft.
The exact warning states "The 'strstr' function of library <cstring> shall not be used"
Code that would invoke this warning could be:
char *line1 = somebuffer;
char *line2;
line2 = strstr(line1, "\n"); //warning is invoked here.
推荐答案
使用strstr
没有太大问题 - 指针除外论证和整个是零终止还是没有?
在C ++中,你通常使用std :: string :: find
。如果你坚持不使用字符指针作为参数的重载,你将是相当安全的。
There's not a lot wrong with usingstrstr
- except for the pointer arguments and the whole "is it zero terminated or not?" thing.
In C++ you'd generally usestd::string::find
. If you keep to the overloads that don't take character pointers as parameters you'll be fairly safe.
据我所知,没有这种函数的安全版本。
但是,由于你使用的是C ++,std :: string
s而不是字符数组将是一个更合适的选择。
值得注意的是:
- 也许你的代码实际上是安全的你可以放心地忽略这些警告(例如,你对输入字符串有完全的控制)。
- 你可以为
strstr
提供一个安全的包装:这可以解决潜在的安全风险,但你将继续收到警告。
As far as I know, there is NOT a safe version of such a function.
However, since you are using C++,std::string
s instead of character arrays would be a more appropriate choice.
It is worth noting:
- Maybe your code is actually secure and you can safely ignore the warnings (e.g. you have full constrol on input strings).
- You may provide a safe wrapper for
strstr
: this would solve the potential security risk, but you'll keep getting the warnings.
根据您现在提供的确切消息,您使用了
According to the exact message you now provided you used
#include <cstring>
而不是
#include <string>
或
#include <string.h>
如果您的编译器,或者在这种情况下,您的静态分析工具不知道特定于MS的标头,这可能会导致警告或错误(这一个是)。请参阅 http://stackoverflow.com/questions/12824595/difference-between-cstring-and-string [ ^ ]了解此事。
我建议您尝试
This may cause warnings or errors if your compiler, or, in this case, your static analysis tool, is not aware of the MS-specific headers (which this one is). See http://stackoverflow.com/questions/12824595/difference-between-cstring-and-string[^] for some insight into this matter.
I suggest you try
#include <string.h>
然后看看Parasoft对您的代码的看法。
and see what Parasoft thinks about your code then.
这篇关于strstr()C ++的安全版本?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!