为什么我的字符串在我的iOS应用程序中可能不安全？ [英] Why is my string potentially unsecure in my iOS application?

问题描述

我正在初始化一个可变字符串，然后按如下方式记录它。

I am initializing a mutable string and then logging it as follows.

NSMutableString* mStr = [[NSMutableString alloc] init];
mStr = (NSMutableString*) someTextFieldIbOutlet.text;
NSLog((NSString *) mStr);

代码工作并运行，但我收到一个奇怪的警告（黄色）：

The code works and runs, but I am getting a strange warning (in yellow):

Format string is not a string literal (potentially insecure).

为什么？

推荐答案

嗯，这里有一些问题。

第一个（而不是你问过的那个）是你要分配一个新的当你将它设置为someTextFieldIbOutlet.text时，NSMutableString然后简单地将它扔到第二行。此外，您正在将一个不可变的字符串转换为可变的字符串，该字符串实际上不起作用。相反，将前两行组合如下：

The first one (and not the one that you asked about) is that you are allocating a new NSMutableString and then simply throwing it away in the second line when you set it to someTextFieldIbOutlet.text. Also, you are casting a non-mutable string to a mutable one which won't actually work. Instead, combine the first two lines like this:

NSMutableString* mStr = [NSMutableString stringWithString:someTextFieldIbOutlet.text];

你得到的实际错误是因为NSLog的第一个参数应该是 format告诉NSLog如何格式化后面的参数后面的数据的字符串。这应该是一个文字字符串（创建类似 @这是一个文字字符串），因此它不能用于通过对其进行更改来利用您的程序。

The actual error that you are getting is caused because the first argument to NSLog is supposed to be the "format" string which tells NSLog how you want to format the data that follows in later arguments. This should be a literal string (created like @"this is a literal string") so that it can not be used to exploit your program by making changes to it.

相反，请使用：

NSLog(@"%@", mStr );

在这种情况下，格式字符串是 @％@表示创建 NSString 对象设置为％@ 。 ％@ 表示下一个参数是一个对象，并用对象的描述替换％@ （在此case是字符串的值。）

In this case, the format string is @"%@" which means "Create a NSString object set to %@". %@ means that the next argument is an object, and to replace %@ with the object's description (which in this case is the value of the string).

这篇关于为什么我的字符串在我的iOS应用程序中可能不安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！