Re: Visual C++ vs Visual C#
Assumptions about reasonable input lengths
aren't bad, they just need to be explicitly enforced. If your
program is intended to work on strings of up to 40 characters,
you're much better off checking (portably) memchr(input, 0, 40) or
(Win32 only) !IsBadStringPtr(input, 40) and rejecting a malicious
input outright, rather than dynamically allocating a "big enough"
buffer. In any case you need an SEH block to catch wild pointers.
I would rather have a beginner use cin and std::string for her first input
attempt, than try to teach the necessary magic to make resding into a
fixed buffer work properly.
I think it's important to teach "don't trust the input" from the very first
time you have input, and validating input, rather than using functions that
silently hog resources to accomodate malformed or malicious inputs. That
"necessary magic" is just:
const int MaxLengthOfLastName = 100;
char LastName[MaxLengthOfLastName];
cin.getline(LastName, MaxLengthOfLastName);
which not only (1) can't overflow but also (2) detects runaway inputs by
setting the fail bit, and as such can't be used for a DOS attack. Not much
takes a server down as effectively as exhausting available memory and
forcing all apps to page.
Allowing an arbitrary length input should be a conscious decision, when no
reasonable upper limit exists, not chosen by default.
Remember, we are not talking about censoring the language, but selecting
what to teach first, and what we can put off until the very end of the
book. Learning C first is starting with the "C++ trivia" appendix.
Bo Persson