When I try to compile C code that uses the gets function, I get a warning: warning: the gets function is dangerous and should not be used.
I remember this has to do something with stack protection and security, but I'm not sure. Can someone help me with removing this warning and explain why is there such warning? If gets is "dangerous" then why can't we remove it?
In order to use gets safely, you have to know exactly how many characters that you will be reading so you can make your buffer large enough. You will only know that if you know exactly what data you will be reading.
Instead of using gets, you want to use fgets, which has the signature char* fgets(char *string, int length, FILE * stream).
It was never removed from the C standard for backwards compatibility.
You can't remove API functions without breaking the API. If you would, many applications would no longer compile or run at all.
This is the reason that one reference gives:
Reading a line that overflows the array pointed to by s results in undefined behavior. The use of fgets() is recommended.
Because gets doesn't do any kind of check while getting bytes from stdin and putting them somewhere. A simple example:
char array1[] = "12345";
char array2[] = "67890";
gets(array1);
Now, first of all you are allowed to input how many characters you want, gets won't care about it. Secondly the bytes over the size of the array in which you put them (in this case array1) will overwrite whatever they find in memory because gets will write them. In the previous example this means that if you input "abcdefghijklmnopqrts" maybe, unpredictably, it will overwrite also array2 or whatever.
The function is unsafe because it assumes consistent input. NEVER USE IT!
I read recently, in a USENET post to comp.lang.c, that gets() is getting removed from the Standard. WOOHOO
You'll be happy to know that the committee just voted (unanimously, as it turns out) to remove gets() from the draft as well.