It is usually said that scanf is not a safe function. Clang and GCC do not issue any warnings, but MSVC does not even compile (unless you include _CRT_SECURE_NO_WARNINGS):
Error C4996 'scanf': This function or variable may be unsafe.
Does this mean that in some cases scanf is guarantee to not overflow and in others not?
If so, which exactly are these cases?
Another function also for reading data is gets
Are there cases where gets can be used safely or should it be avoided altogether?
It is usually suggested as an alternative to scanf and gets the use of fgets.
How is fgets more secure?
Functions scanf and gets for string processing
The scanf function is safe for string processing because there is a specific field to delimit the length of the string. This is shown in the following example.
// Example 01
#include <stdio.h>
#define SIZE 7
int main(void)
{
char city[SIZE];
printf("Insert the name of your city: "); // Columbus
scanf("%6s", city);
printf("The city is: %s", city); // Columb
return 0;
}
/* ## Output ##
* Insert the name of your city: Columbus
* The city is: Columb
*/
If the user enters for the name of the city Columbus, a buffer overflow will not occur, since scanf will limit itself to trying to store only the first 6 characters of the string in city, according to the %6s instruction (in addition to inserting at the end \0, which is the null character: reference). Therefore, when the result is shown on the screen, it appears Columb as the name of the city.
The drawback is that the string length limit cannot be entered as an argument directly, unlike printf. More details in the Annex.
String processing can also be performed by the function gets. However, gets does not have any delimiter fields and will read until it finds a newline or the end of the file (EOF). Rewriting the previous example for gets:
// Example 02
#include <stdio.h>
#define SIZE 7
int main(void)
{
char city[SIZE];
printf("Insert the name of the city: "); // Columbus
gets(city);
printf("The city is: %s", city); // ???
return 0;
}
/* ## Possible Output ##
* Insert the name of the city: Columbus
* The city is: Columbus
*/
Gets tries to store the complete string in city, which is not possible, after all, city does not support a string of 8 characters. In the tested case, gets invaded adjacent memory addresses to write the part of the string that could not be stored in city, resulting in a buffer overflow. If a string is long enough, it is expected that in addition to a buffer overflow, it will also causes a segmentation fault (more details here and here). Buffer overflow is one of the main vulnerabilities exploited by hackers and therefore special attention should be paid to this issue (video: buffer overflow attack. Text: Buffer Overflow Exploitation). Thus, due to the lack of a field that defines the length of the string to be stored, it is impossible to read strings safely with gets (and reading strings is the only function of gets). Therefore, gets should never be used and has been completely removed from the language as of C11.
Functions scanf and fgets for arithmetic data processing
In addition to strings, scanf also reads arithmetic data (integer and floating point values). However, for this case, scanf is not safe, and there is no guarantee protection against undefined behavior. The following code illustrates this. Since the C standard specifies only the absolute minimum value of integer types, the value of LONG_MIN and LONG_MAX are implementation-dependent, but it is mandatory that LONG_MIN <= -2147483647 and LONG_MAX >= +2147483647).
// Example 03
#include <stdio.h>
#include <limits.h>
#include <errno.h>
#define SIZE 100
int main(void) {
long a;
char buffer[SIZE];
printf("Enter a number: "); // 2147483648 (LONG_MAX + 1)
int success = scanf("%ld", &a);
printf("a = %ld", a);
getchar();
printf("\nEnter a number: "); // 2147483648
fgets(buffer, SIZE, stdin);
long b = strtol(buffer, NULL, 10);
if (b == LONG_MAX && errno == ERANGE) {
printf("b: Overflow!\n");
}
else if (b == LONG_MIN && errno == ERANGE) {
printf("b: Underflow!\n");
}
printf("b = %ld", b);
return 0;
}
/* ## Possible Output ##
* Enter a number: 2147483648
* a = -2147483648
* Enter a number: 2147483648
* b: Overflow!
* b = 2147483647
*/
The user enters a sufficiently large number that long is unable to store (read Note). Scanf reads the number and returns 1 (the return of scanf indicates the number of values successfully assigned). However, overflow happens and according to the C Standard integer overflow results in undefined behavior. In the test carried out with the example, to the variable a was assigned the value -2147483648. This indicates that there was what is known as wraparound. However, scanf does not allow testing integer overflows. The situation can be mitigated by seeking to impose a limit on the value read. Considering a long where LONG_MAX is +2147483647, it is possible to impose a limit by writing scanf("%9ld", number). Note that a value with 10 digits (%10ld) would already open room for overflow (+9 999 999 999 > +2 147 483 647). However, imposing the limit of 9 digits, what happens is that there is a range of numbers that are valid (long is able to store), but the code excludes from the possibilities. On the other hand, fgets offers protection. First, in the code, fgets(buffer, SIZE, stdin) limits the value read, preventing the occurrence of a buffer overflow, which could be critical. Next, strtol performs the conversion to long: long b = strtol(buffer, NULL, 10). It is not possible to store the value in the long type, so strtol:
Returns the largest possible integer: LONG_MAX. With this, it avoids the occurrence of a overflow of the variable b.
Sets the errno flag to ERANGE indicating that an error has occurred, specifically a value processed with excessively large magnitude.
It is worthy noting that scanf does not set errno, preventing a similar strategy from being adopted in scanf.
Note that fgets logic is safe. Even if an overflow-based attack is attempted, all behaviors are well defined. There will be no buffer overflow and no integer overflow of variable b, which will necessarily be in its validity range.
If it's a float type, the situation is more subtle. According to IEEE 754, if a number is too large to be stored in a float type, it must be assigned to the variable the special value inf or -inf (IEEE 754 topic 7.4 and covered here [topic 2 Overflow and underflow] and here [topic: 2.3.2 Overflow]). However, this is not in the C standard. Therefore, a compiler may or may not reproduce the behavior described in IEEE 754. If there is compliance with IEEE 754, the behavior of scanf, when reading an excessively large number, will be to assign to the variable of type float the special value inf or -inf. This is defined behavior and, in this sense, safe. This is illustrated in the code below.
// Example 04
#include <stdio.h>
#include <math.h>
int main(void) {
float a;
printf("Enter a number: "); // 2E40
int success = scanf("%f", &a); // 1
if (isinf(a)) {
printf("Underflow or Overflow!\n"); // Underflow or Overflow!
}
printf("a = %f", a); // inf
return 0;
}
/* ## Possible Output ##
* Enter a number 2E40
* Underflow or Overflow!
* a = inf
*/
This code has been tested on MSVC, Clang, GCC and TCC. In all cases, was assigned to the variable a special value inf. However, C compilers are not required to comply with IEEE 754 and therefore scanf is not safe for storing floating point numbers.
On the other hand, the fgets strategy involves two sequential operations:
fgets stores the value read as a string in a array of chars
strtof converts the string to float
The first operation is safe, as show in example 3. The second operation is also safe, since its behavior is determined by the C standard. If the value converted by strtof is outside the valid range, then HUGE_VALF is returned (reference). With this, there is the certainty of a defined behavior.
Therefore, the processing of floating point values by fgets strategy is safe. The code below is fgets version of Example 4.
// Example 05
#include <stdio.h>
#include <math.h>
#include <stdlib.h>
#define SIZE 50
int main(void) {
char buffer[SIZE];
float a;
printf("Enter a number: "); // 2E40
fgets(buffer, SIZE, stdin);
buffer[strcspn(buffer, "\n")] = 0; // remove '\n'
a = strtof(buffer, NULL);
if (isinf(a)) {
printf("Underflow or Overflow!\n");
}
printf("a = %f", a); // +inf
return 0;
}
/* ## Output ##
* Enter a number: 2E40
* Underflow or Overflow!
* a = inf
*/
Function fgets for processing strigs
In addition to arithmetic data processing, fgets can also be used for string processing, as a substitute of scanf. The first example with scanf can be adapted to an alternative version with fgets.
// Example 06
#include <stdio.h>
#define SIZE 7
int main(void) {
char city[SIZE];
printf("Insert the name of the city: "); // Columbus
fgets(city, SIZE, stdin);
printf("The city is: %s", city); // Columb
return 0;
}
/* ## Output ##
* Insert the name of the city: Columbus
* The city is: Columb
*/
Like scanf, fgets also provides buffer overflow protection processing strings. However, unlike scanf, in fgets the maximum value for the number of characters read can be inserted directly as an argument and in this case was inserted through SIZE (more information in the Annex).
Annex
With printf it is possible to insert the value for the delimiter field through an argument. The following example illustrates this:
// Example 07
#include <stdio.h>
#define SIZE 6
int main(void) {
char country[20] = "Canada";
printf("%.*s \n", SIZE, country); // Canada
printf("%.6s \n", country); // Canada
return 0;
}
/* ## Output ##
* Canada
* Canada
*/
For scanf the only direct strategy is analogous to the second printf. This is a disadvantage since the delimiter field through an argument, unlike the "hardcoded" strategy, allows to easily work with cases where the value comes from:
A variable from another file
A user-entered argument
and it is still convenient if used in multiple printf.
Note: scanf can receive the value for the delimiter field through andargument, but not directly. Details here and here.
Note
A buffer overflow can be defined as an invasion of memory regions not belonging to the variable. In an integer overflow (or floating overflow) this invasion does not necessarily happen. When referring to this type of overflow, it is alluded to the attempt to assign a value to a variable that is unable to store such a value due to its excessive magnitude. For an integer overflow, this configures undefined behavior, which could result in a buffer overflow (memory intrusion), a wraparound, etc.
Additional Topic:
Particularities of scanf, gets and fgets processing strings
The default behavior of the function scanf is to stop reading at the first whitespace found (reference). However, the whitespace is left in the input buffer. So the following code is not correct:
// Example 08
#include <stdio.h>
#define SIZE 20
int main() {
char city[SIZE];
char state[SIZE];
printf("City: "); // Columbus
scanf("%19s", city);
printf("State: ");
fgets(state, 20, stdin);
return 0;
}
/* ## Possible Output ##
* City: Columbus
* State:
*/
What happens is that scanf reads the city entered by the user and leaves in the input buffer \n. With that, fgets reads the rest of the input buffer (\n) and stores it in the variable state. As a result, the user cannot enter the state. To correct this code it is necessary to insert getchar after each scanf. However, this protection fails if the user enters the following sequence for the variable city: Columbus space enter. The program returns to the initial problem: getchar will remove space from the buffer, but the newline will remain in the buffer. An alternative to solve this problem is to replace getchar with while ((c = getchar()) != EOF && c != '\n'). This will clear from the input buffer everything after the last character processed by scanf until it finds a newline or the end of the file. So for this solution, each getchar would be replaced by:
int c;
while ((c = getchar()) != EOF && c != '\n');
For both cases, fgets already intrinsically provides the necessary protection. That's because fgets stops reading only when it finds a newline, the end of file or when it reaches the maximum number of characters, whichever comes first (reference). In this case, the newline is what happens first and it is included in the associated variable (in this case, city or state) and removed from the input buffer. Similarly, gets reads until a newline or the end of the file is encountered. If a new line is found, it is included in the associated variable (reference).
Finally, several particularities of scanf and fgets are presented here.
Conclusion
Does this mean that in some cases scanf is guarantee to not overflow
and in others not?
Yes. String processing can be safely performed by scanf. However, when processing integer or floating point values there is no guarantee.
Are there cases where gets can be used safely or should it be avoided altogether?
It should be avoided completely. The gets function is safe only in environments where limits are imposed on stdin, which is a very specific case.
How is fgets more secure?
The function fgets provides security for both string and arithmetic data processing (integer and floating point).
I have very frequently seen people discouraging others from using scanf and saying that there are better alternatives. However, all I end up seeing is either "don't use scanf" or "here's a correct format string", and never any examples of the "better alternatives" mentioned.
For example, let's take this snippet of code:
scanf("%c", &c);
This reads the whitespace that was left in the input stream after the last conversion. The usual suggested solution to this is to use:
scanf(" %c", &c);
or to not use scanf.
Since scanf is bad, what are some ANSI C options for converting input formats that scanf can usually handle (such as integers, floating-point numbers, and strings) without using scanf?
The most common ways of reading input are:
using fgets with a fixed size, which is what is usually suggested, and
using fgetc, which may be useful if you're only reading a single char.
To convert the input, there are a variety of functions that you can use:
strtoll, to convert a string into an integer
strtof/d/ld, to convert a string into a floating-point number
sscanf, which is not as bad as simply using scanf, although it does have most of the downfalls mentioned below
There are no good ways to parse a delimiter-separated input in plain ANSI C. Either use strtok_r from POSIX or strtok, which is not thread-safe. You could also roll your own thread-safe variant using strcspn and strspn, as strtok_r doesn't involve any special OS support.
It may be overkill, but you can use lexers and parsers (flex and bison being the most common examples).
No conversion, simply just use the string
Since I didn't go into exactly why scanf is bad in my question, I'll elaborate:
With the conversion specifiers %[...] and %c, scanf does not eat up whitespace. This is apparently not widely known, as evidenced by the many duplicates of this question.
There is some confusion about when to use the unary & operator when referring to scanf's arguments (specifically with strings).
It's very easy to ignore the return value from scanf. This could easily cause undefined behavior from reading an uninitialized variable.
It's very easy to forget to prevent buffer overflow in scanf. scanf("%s", str) is just as bad as, if not worse than, gets.
You cannot detect overflow when converting integers with scanf. In fact, overflow causes undefined behavior in these functions.
TL;DR
fgets is for getting the input. sscanf is for parsing it afterwards. scanf tries to do both at the same time. That's a recipe for trouble. Read first and parse later.
Why is scanf bad?
The main problem is that scanf was never intended to deal with user input. It's intended to be used with "perfectly" formatted data. I quoted the word "perfectly" because it's not completely true. But it is not designed to parse data that are as unreliable as user input. By nature, user input is not predictable. Users misunderstands instructions, makes typos, accidentally press enter before they are done etc. One might reasonably ask why a function that should not be used for user input reads from stdin. If you are an experienced *nix user the explanation will not come as a surprise but it might confuse Windows users. In *nix systems, it is very common to build programs that work via piping, which means that you send the output of one program to another by piping the stdout of the first program to the stdin of the second. This way, you can make sure that the output and input are predictable. During these circumstances, scanf actually works well. But when working with unpredictable input, you risk all sorts of trouble.
So why aren't there any easy-to-use standard functions for user input? One can only guess here, but I assume that old hardcore C hackers simply thought that the existing functions were good enough, even though they are very clunky. Also, when you look at typical terminal applications they very rarely read user input from stdin. Most often you pass all the user input as command line arguments. Sure, there are exceptions, but for most applications, user input is a very minor thing.
So what can you do?
First of all, gets is NOT an alternative. It's dangerous and should NEVER be used. Read here why: Why is the gets function so dangerous that it should not be used?
My favorite is fgets in combination with sscanf. I once wrote an answer about that, but I will re-post the complete code. Here is an example with decent (but not perfect) error checking and parsing. It's good enough for debugging purposes.
Note
I don't particularly like asking the user to input two different things on one single line. I only do that when they belong to each other in a natural way. Like for instance printf("Enter the price in the format <dollars>.<cent>: "); fgets(buffer, bsize, stdin); and then use sscanf(buffer "%d.%d", &dollar, ¢). I would never do something like printf("Enter height and base of the triangle: "). The main point of using fgets below is to encapsulate the inputs to ensure that one input does not affect the next.
#define bsize 100
void error_function(const char *buffer, int no_conversions) {
fprintf(stderr, "An error occurred. You entered:\n%s\n", buffer);
fprintf(stderr, "%d successful conversions", no_conversions);
exit(EXIT_FAILURE);
}
char c, buffer[bsize];
int x,y;
float f, g;
int r;
printf("Enter two integers: ");
fflush(stdout); // Make sure that the printf is executed before reading
if(! fgets(buffer, bsize, stdin)) error_function(buffer, 0);
if((r = sscanf(buffer, "%d%d", &x, &y)) != 2) error_function(buffer, r);
// Unless the input buffer was to small we can be sure that stdin is empty
// when we come here.
printf("Enter two floats: ");
fflush(stdout);
if(! fgets(buffer, bsize, stdin)) error_function(buffer, 0);
if((r = sscanf(buffer, "%f%f", &f, &g)) != 2) error_function(buffer, r);
// Reading single characters can be especially tricky if the input buffer
// is not emptied before. But since we're using fgets, we're safe.
printf("Enter a char: ");
fflush(stdout);
if(! fgets(buffer, bsize, stdin)) error_function(buffer, 0);
if((r = sscanf(buffer, "%c", &c)) != 1) error_function(buffer, r);
printf("You entered %d %d %f %c\n", x, y, f, c);
If you do a lot of these, I could recommend creating a wrapper that always flushes:
int printfflush (const char *format, ...)
{
va_list arg;
int done;
va_start (arg, format);
done = vfprintf (stdout, format, arg);
fflush(stdout);
va_end (arg);
return done;
}
Doing like this will eliminate a common problem, which is the trailing newline that can mess with the nest input. But it has another issue, which is if the line is longer than bsize. You can check that with if(buffer[strlen(buffer)-1] != '\n'). If you want to remove the newline, you can do that with buffer[strcspn(buffer, "\n")] = 0.
In general, I would advise to not expect the user to enter input in some weird format that you should parse to different variables. If you want to assign the variables height and width, don't ask for both at the same time. Allow the user to press enter between them. Also, this approach is very natural in one sense. You will never get the input from stdin until you hit enter, so why not always read the whole line? Of course this can still lead to issues if the line is longer than the buffer. Did I remember to mention that user input is clunky in C? :)
To avoid problems with lines longer than the buffer you can use a function that automatically allocates a buffer of appropriate size, you can use getline(). The drawback is that you will need to free the result afterwards. This function is not guaranteed to exist by the standard, but POSIX has it. You could also implement your own, or find one on SO. How can I read an input string of unknown length?
Stepping up the game
If you're serious about creating programs in C with user input, I would recommend having a look at a library like ncurses. Because then you likely also want to create applications with some terminal graphics. Unfortunately, you will lose some portability if you do that, but it gives you far better control of user input. For instance, it gives you the ability to read a key press instantly instead of waiting for the user to press enter.
Interesting reading
Here is a rant about scanf: https://web.archive.org/web/20201112034702/http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html
scanf is awesome when you know your input is always well-structured and well-behaved. Otherwise...
IMO, here are the biggest problems with scanf:
Risk of buffer overflow - if you do not specify a field width for the %s and %[ conversion specifiers, you risk a buffer overflow (trying to read more input than a buffer is sized to hold). Unfortunately, there's no good way to specify that as an argument (as with printf) - you have to either hardcode it as part of the conversion specifier or do some macro shenanigans.
Accepts inputs that should be rejected - If you're reading an input with the %d conversion specifier and you type something like 12w4, you would expect scanf to reject that input, but it doesn't - it successfully converts and assigns the 12, leaving w4 in the input stream to foul up the next read.
So, what should you use instead?
I usually recommend reading all interactive input as text using fgets - it allows you to specify a maximum number of characters to read at a time, so you can easily prevent buffer overflow:
char input[100];
if ( !fgets( input, sizeof input, stdin ) )
{
// error reading from input stream, handle as appropriate
}
else
{
// process input buffer
}
One quirk of fgets is that it will store the trailing newline in the buffer if there's room, so you can do an easy check to see if someone typed in more input than you were expecting:
char *newline = strchr( input, '\n' );
if ( !newline )
{
// input longer than we expected
}
How you deal with that is up to you - you can either reject the whole input out of hand, and slurp up any remaining input with getchar:
while ( getchar() != '\n' )
; // empty loop
Or you can process the input you got so far and read again. It depends on the problem you're trying to solve.
To tokenize the input (split it up based on one or more delimiters), you can use strtok, but beware - strtok modifies its input (it overwrites delimiters with the string terminator), and you can't preserve its state (i.e., you can't partially tokenize one string, then start to tokenize another, then pick up where you left off in the original string). There's a variant, strtok_s, that preserves the state of the tokenizer, but AFAIK its implementation is optional (you'll need to check that __STDC_LIB_EXT1__ is defined to see if it's available).
Once you've tokenized your input, if you need to convert strings to numbers (i.e., "1234" => 1234), you have options. strtol and strtod will convert string representations of integers and real numbers to their respective types. They also allow you to catch the 12w4 issue I mentioned above - one of their arguments is a pointer to the first character not converted in the string:
char *text = "12w4";
char *chk;
long val;
long tmp = strtol( text, &chk, 10 );
if ( !isspace( *chk ) && *chk != 0 )
// input is not a valid integer string, reject the entire input
else
val = tmp;
In this answer I'm going to assume that you are reading and
interpreting lines of text.
Perhaps you're prompting the user, who is typing something and
hitting RETURN. Or perhaps you're reading lines of structured
text from a data file of some kind.
Since you're reading lines of text, it makes sense to organize
your code around a library function that reads, well, a line of
text.
The Standard function is fgets(), although there are others (including getline). And then the next step is to interpret
that line of text somehow.
Here's the basic recipe for calling fgets to read a line of
text:
char line[512];
printf("type something:\n");
fgets(line, 512, stdin);
printf("you typed: %s", line);
This simply reads in one line of text and prints it back out.
As written it has a couple of limitations, which we'll get to in
a minute. It also has a very great feature: that number 512 we
passed as the second argument to fgets is the size of the array
line we're asking fgets to read into. This fact -- that we can
tell fgets how much it's allowed to read -- means that we can
be sure that fgets won't overflow the array by reading too much
into it.
So now we know how to read a line of text, but what if we really
wanted to read an integer, or a floating-point number, or a
single character, or a single word? (That is, what if the
scanf call we're trying to improve on had been using a format
specifier like %d, %f, %c, or %s?)
It's easy to reinterpret a line of text -- a string -- as any of these things.
To convert a string to an integer, the simplest (though
imperfect) way to do it is to call atoi().
To convert to a floating-point number, there's atof().
(And there are also better ways, as we'll see in a minute.)
Here's a very simple example:
printf("type an integer:\n");
fgets(line, 512, stdin);
int i = atoi(line);
printf("type a floating-point number:\n");
fgets(line, 512, stdin);
float f = atof(line);
printf("you typed %d and %f\n", i, f);
If you wanted the user to type a single character (perhaps y or
n as a yes/no response), you can literally just grab the first
character of the line, like this:
printf("type a character:\n");
fgets(line, 512, stdin);
char c = line[0];
printf("you typed %c\n", c);
(This ignores, of course, the possibility that the user typed a
multi-character response; it quietly ignores any extra characters
that were typed.)
Finally, if you wanted the user to type a string definitely not containing
whitespace, if you wanted to treat the input line
hello world!
as the string "hello" followed by something else (which is what
the scanf format %s would have done), well, in that case, I
fibbed a little, it's not quite so easy to reinterpret the line
in that way, after all, so the answer to that part of the question will have
to wait for a bit.
But first I want to go back to three things I skipped over.
(1) We've been calling
fgets(line, 512, stdin);
to read into the array line, and where 512 is the size of the
array line so fgets knows not to overflow it. But to make
sure that 512 is the right number (especially, to check if maybe
someone tweaked the program to change the size), you have to read
back to wherever line was declared. That's a nuisance, so
there are two much better ways to keep the sizes in sync.
You could, (a) use the preprocessor to make a name for the size:
#define MAXLINE 512
char line[MAXLINE];
fgets(line, MAXLINE, stdin);
Or, (b) use C's sizeof operator:
fgets(line, sizeof(line), stdin);
(2) The second problem is that we haven't been checking for
error. When you're reading input, you should always check for
the possibility of error. If for whatever reason fgets can't
read the line of text you asked it to, it indicates this by
returning a null pointer. So we should have been doing things like
printf("type something:\n");
if(fgets(line, 512, stdin) == NULL) {
printf("Well, never mind, then.\n");
exit(1);
}
Finally, there's the issue that in order to read a line of text,
fgets reads characters and fills them into your array until it
finds the \n character that terminates the line, and it fills
the \n character into your array, too. You can see this if
you modify our earlier example slightly:
printf("you typed: \"%s\"\n", line);
If I run this and type "Steve" when it prompts me, it prints out
you typed: "Steve
"
That " on the second line is because the string it read and
printed back out was actually "Steve\n".
Sometimes that extra newline doesn't matter (like when we called
atoi or atof, since they both ignore any extra non-numeric
input after the number), but sometimes it matters a lot. So
often we'll want to strip that newline off. There are several
ways to do that, which I'll get to in a minute. (I know I've been
saying that a lot. But I will get back to all those things, I promise.)
At this point, you may be thinking: "I thought you said scanf
was no good, and this other way would be so much better.
But fgets is starting to look like a nuisance.
Calling scanf was so easy! Can't I keep using it?"
Sure, you can keep using scanf, if you want. (And for really
simple things, in some ways it is simpler.) But, please, don't
come crying to me when it fails you due to one of its 17 quirks
and foibles, or goes into an infinite loop because of input your
didn't expect, or when you can't figure out how to use it to do
something more complicated. And let's take a look at fgets's
actual nuisances:
You always have to specify the array size. Well, of course,
that's not a nuisance at all -- that's a feature, because buffer
overflow is a Really Bad Thing.
You have to check the return value. Actually, that's a wash,
because to use scanf correctly, you have to check its return
value, too.
You have to strip the \n back off. This is, I admit, a true
nuisance. I wish there were a Standard function I could point
you to that didn't have this little problem. (Please nobody
bring up gets.) But compared to scanf's 17 different
nuisances, I'll take this one nuisance of fgets any day.
So how do you strip that newline? There are many ways:
(a) Obvious way:
char *p = strchr(line, '\n');
if(p != NULL) *p = '\0';
(b) Tricky & compact way:
strtok(line, "\n");
Unfortunately this doesn't work quite right on empty lines.
(c) Another compact and mildly obscure way:
line[strcspn(line, "\n")] = '\0';
And there are other ways as well. Me, I always just use (a), since it's simple & obvious, if less than concise.
See this question, or this question, for more (much more) on stripping the \n from what fgets gives you.
And now that that's out of the way, we can get back to another
thing I skipped over: the imperfections of atoi() and atof().
The problem with those is they don't give you any useful
indication of success of success or failure: they quietly ignore
trailing nonnumeric input, and they quietly return 0 if there's
no numeric input at all. The preferred alternatives -- which
also have certain other advantages -- are strtol and strtod.
strtol also lets you use a base other than 10, meaning you can
get the effect of (among other things) %o or %x with scanf.
But showing how to use these functions correctly is a story in itself,
and would be too much of a distraction from what is already turning
into a pretty fragmented narrative, so I'm not going to say
anything more about them now.
The rest of the main narrative concerns input you might be trying
to parse that's more complicated than just a single number or
character. What if you want to read a line containing two
numbers, or multiple whitespace-separated words, or specific
framing punctuation? That's where things get interesting, and
where things were probably getting complicated if you were trying
to do things using scanf, and where there are vastly more
options now that you've cleanly read one line of text using fgets,
although the full story on all those options could probably fill
a book, so we're only going to be able to scratch the surface here.
My favorite technique is to break the line up into
whitespace-separated "words", then do something further with each
"word". One principal Standard function for doing this is
strtok (which also has its issues, and which also rates a whole
separate discussion). My own preference is a dedicated function
for constructing an array of pointers to each broken-apart
"word", a function I describe in
these course notes.
At any rate, once you've got "words", you can further process
each one, perhaps with the same atoi/atof/strtol/strtod
functions we've already looked at.
Paradoxically, even though we've been spending a fair amount of
time and effort here figuring out how to move away from scanf,
another fine way to deal with the line of text we just read with
fgets is to pass it to sscanf. In this way, you end up with
most of the advantages of scanf, but without most of the
disadvantages.
If your input syntax is particularly complicated, it might be appropriate to use a "regexp" library to parse it.
Finally, you can use whatever ad hoc parsing solutions suit
you. You can move through the line a character at a time with a
char * pointer checking for characters you expect. Or you can
search for specific characters using functions like strchr or strrchr,
or strspn or strcspn, or strpbrk. Or you can parse/convert
and skip over groups of digit characters using the strtol or
strtod functions that we skipped over earlier.
There's obviously much more that could be said, but hopefully
this introduction will get you started.
What can I use to parse input instead of scanf?
Instead of scanf(some_format, ...), consider fgets() with sscanf(buffer, some_format_and %n, ...)
By using " %n", code can simply detect if all the format was successfully scanned and that no extra non-white-space junk was at the end.
// scanf("%d %f fred", &some_int, &some_float);
#define EXPECTED_LINE_MAX 100
char buffer[EXPECTED_LINE_MAX * 2]; // Suggest 2x, no real need to be stingy.
if (fgets(buffer, sizeof buffer, stdin)) {
int n = 0;
// add ----------------> " %n" -----------------------, &n
sscanf(buffer, "%d %f fred %n", &some_int, &some_float, &n);
// Did scan complete, and to the end?
if (n > 0 && buffer[n] == '\0') {
// success, use `some_int, some_float`
} else {
; // Report bad input and handle desired.
}
Let's state the requirements of parsing as:
valid input must be accepted (and converted into some other form)
invalid input must be rejected
when any input is rejected, it is necessary to provide the user with a descriptive message that explains (in clear "easily understood by normal people who are not programmers" language) why it was rejected (so that people can figure out how to fix the problem)
To keep things very simple, lets consider parsing a single simple decimal integer (that was typed in by the user) and nothing else. Possible reasons for the user's input to be rejected are:
the input contained unacceptable characters
the input represents a number that is lower than the accepted minimum
the input represents a number that is higher than the accepted maximum
the input represents a number that has a non-zero fractional part
Let's also define "input contained unacceptable characters" properly; and say that:
leading whitespace and trailing whitespace will be ignored (e.g. "
5 " will be treated as "5")
zero or one decimal point is allowed (e.g. "1234." and "1234.000" are both treated the same as "1234")
there must be at least one digit (e.g. "." is rejected)
no more than one decimal point is allowed (e.g. "1.2.3" is rejected)
commas that are not between digits will be rejected (e.g. ",1234" is rejected)
commas that are after a decimal point will be rejected (e.g. "1234.000,000" is rejected)
commas that are after another comma are rejected (e.g. "1,,234" is rejected)
all other commas will be ignored (e.g. "1,234" will be treated as "1234")
a minus sign that is not the first non-whitespace character is rejected
a positive sign that is not the first non-whitespace character is rejected
From this we can determine that the following error messages are needed:
"Unknown character at start of input"
"Unknown character at end of input"
"Unknown character in middle of input"
"Number is too low (minimum is ....)"
"Number is too high (maximum is ....)"
"Number is not an integer"
"Too many decimal points"
"No decimal digits"
"Bad comma at start of number"
"Bad comma at end of number"
"Bad comma in middle of number"
"Bad comma after decimal point"
From this point we can see that a suitable function to convert a string into an integer would need to distinguish between very different types of errors; and that something like "scanf()" or "atoi()" or "strtoll()" is completely and utterly worthless because they fail to give you any indication of what was wrong with the input (and use a completely irrelevant and inappropriate definition of what is/isn't "valid input").
Instead, lets start writing something that isn't useless:
char *convertStringToInteger(int *outValue, char *string, int minValue, int maxValue) {
return "Code not implemented yet!";
}
int main(int argc, char *argv[]) {
char *errorString;
int value;
if(argc < 2) {
printf("ERROR: No command line argument.\n");
return EXIT_FAILURE;
}
errorString = convertStringToInteger(&value, argv[1], -10, 2000);
if(errorString != NULL) {
printf("ERROR: %s\n", errorString);
return EXIT_FAILURE;
}
printf("SUCCESS: Your number is %d\n", value);
return EXIT_SUCCESS;
}
To meet the stated requirements; this convertStringToInteger() function is likely to end up being several hundred lines of code all by itself.
Now, this was just "parsing a single simple decimal integer". Imagine if you wanted to parse something complex; like a list of "name, street address, phone number, email address" structures; or maybe like a programming language. For these cases you might need to write thousands of lines of code to create a parse that isn't a crippled joke.
In other words...
What can I use to parse input instead of scanf?
Write (potentially thousands of lines) of code yourself, to suit your requirements.
Here is an example of using flex to scan a simple input, in this case a file of ASCII floating point numbers that might be in either US (n,nnn.dd) or European (n.nnn,dd) formats. This is just copied from a much larger program, so there may be some unresolved references:
/* This scanner reads a file of numbers, expecting one number per line. It */
/* allows for the use of European-style comma as decimal point. */
%{
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#ifdef WINDOWS
#include <io.h>
#endif
#include "Point.h"
#define YY_NO_UNPUT
#define YY_DECL int f_lex (double *val)
double atofEuro (char *);
%}
%option prefix="f_"
%option nounput
%option noinput
EURONUM [-+]?[0-9]*[,]?[0-9]+([eE][+-]?[0-9]+)?
NUMBER [-+]?[0-9]*[\.]?[0-9]+([eE][+-]?[0-9]+)?
WS [ \t\x0d]
%%
[!##%&*/].*\n
^{WS}*{EURONUM}{WS}* { *val = atofEuro (yytext); return (1); }
^{WS}*{NUMBER}{WS}* { *val = atof (yytext); return (1); }
[\n]
.
%%
/*------------------------------------------------------------------------*/
int scan_f (FILE *in, double *vals, int max)
{
double *val;
int npts, rc;
f_in = in;
val = vals;
npts = 0;
while (npts < max)
{
rc = f_lex (val);
if (rc == 0)
break;
npts++;
val++;
}
return (npts);
}
/*------------------------------------------------------------------------*/
int f_wrap ()
{
return (1);
}
One of the most common uses of scanf is to read a single int as input from the user. Therefore, my answer will focus on this one problem only.
Here is an example of how scanf is commonly used for reading an int from the user:
int num;
printf( "Please enter an integer: " );
if ( scanf( "%d", &num ) != 1 )
{
printf( "Error converting input!\n" );
}
else
{
printf( "The input was successfully converted to %d.\n", num );
}
Using scanf in this manner has several problems:
The function scanf will not always read a whole line of input.
If the input conversion fails due to the user entering bad input such as abc, then the bad input will be left on the input stream. If this bad input is not discarded afterwards, then all further calls to scanf with the %d format specifier will immediately fail, without waiting for the user to enter further input. This may cause an infinite loop.
Even if the input conversion succeeds, any trailing bad input will be left on the input stream. For example, if the user enters 6abc, then scanf will successfully convert the 6, but leave abc on the input stream. If this input is not discarded, then we will once again have the problem of all further calls to scanf with the %d format specifier immediately failing, which may cause an infinite loop.
Even in the case of the input succeeding and the user not entering any trailing bad input, the mere fact that scanf generally leaves the newline character on the input stream can cause trouble, as demonstrated in this question.
Another issue with using scanf with the %d format spcifier is that if the result of the conversion is not representable as an int (e.g. if the result is larger than INT_MAX), then, according to §7.21.6.2 ¶10 of the ISO C11 standard, the behavior of the program is undefined, which means that you cannot rely on any specific behavior.
In order to solve all of the issues mentioned above, it is generally better to use the function fgets, which will always read an entire line of input at once, if possible. This function will read the input as a string. After doing this, you can use the function strtol to attempt to convert the string to an integer. Here is an example program:
#include <stdio.h>
#include <stdlib.h>
int main( void )
{
char line[200], *p;
int num;
//prompt user for input
printf( "Enter a number: " );
//attempt to read one line of input
if ( fgets( line, sizeof line, stdin ) == NULL )
{
printf( "Input failure!\n" );
exit( EXIT_FAILURE );
}
//attempt to convert string to integer
num = strtol( line, &p, 10 );
if ( p == line )
{
printf( "Unable to convert to integer!\n" );
exit( EXIT_FAILURE );
}
//print result
printf( "Conversion successful! The number is %d.\n", num );
}
However, this code has the following issues:
It does not check whether the input line was too long to fit into the buffer.
It does not check whether the converted number is representable as an int, for example whether the number is too large to be stored in an int.
It will accept 6abc as valid input for the number 6. This is not as bad as scanf, because scanf will leave abc on the input stream, whereas fgets will not. However, it would probably still be better to reject the input instead of accepting it.
All of these issues can be solved by doing the following:
Issue #1 can be solved by checking
whether the input buffer contains a newline character, or
whether end-of-file has been reached, which can be treated as equivalent to a newline character, because it also indicates the end of the line.
Issue #2 can be solved by checking whether the function strtol set errno to the value of the macro constant ERANGE, to determine whether the converted value is representable as a long. In order to determine whether this value is also representable as an int, the value returned by strtol should be compared against INT_MIN and INT_MAX.
Issue #3 can be solved by checking all remaining characters on the line. Since strtol accepts leading whitespace characters, it would probably also be appropriate to accept trailing whitespace characters. However, if the input contains any other trailing characters, the input should probably be rejected.
Here is an improved version of the code, which solves all of the issues mentioned above and also puts everything into a function named get_int_from_user. This function will automatically reprompt the user for input, until the input is valid.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <limits.h>
#include <errno.h>
int get_int_from_user( const char *prompt )
{
//loop forever until user enters a valid number
for (;;)
{
char buffer[1024], *p;
long l;
//prompt user for input
fputs( prompt, stdout );
//get one line of input from input stream
if ( fgets( buffer, sizeof buffer, stdin ) == NULL )
{
fprintf( stderr, "Unrecoverable input error!\n" );
exit( EXIT_FAILURE );
}
//make sure that entire line was read in (i.e. that
//the buffer was not too small)
if ( strchr( buffer, '\n' ) == NULL && !feof( stdin ) )
{
int c;
printf( "Line input was too long!\n" );
//discard remainder of line
do
{
c = getchar();
if ( c == EOF )
{
fprintf( stderr, "Unrecoverable error reading from input!\n" );
exit( EXIT_FAILURE );
}
} while ( c != '\n' );
continue;
}
//attempt to convert string to number
errno = 0;
l = strtol( buffer, &p, 10 );
if ( p == buffer )
{
printf( "Error converting string to number!\n" );
continue;
}
//make sure that number is representable as an "int"
if ( errno == ERANGE || l < INT_MIN || l > INT_MAX )
{
printf( "Number out of range error!\n" );
continue;
}
//make sure that remainder of line contains only whitespace,
//so that input such as "6abc" gets rejected
for ( ; *p != '\0'; p++ )
{
if ( !isspace( (unsigned char)*p ) )
{
printf( "Unexpected input encountered!\n" );
//cannot use `continue` here, because that would go to
//the next iteration of the innermost loop, but we
//want to go to the next iteration of the outer loop
goto continue_outer_loop;
}
}
return l;
continue_outer_loop:
continue;
}
}
int main( void )
{
int number;
number = get_int_from_user( "Enter a number: " );
printf( "Input was valid.\n" );
printf( "The number is: %d\n", number );
return 0;
}
This program has the following behavior:
Enter a number: abc
Error converting string to number!
Enter a number: 6000000000
Number out of range error!
Enter a number: 6 7 8
Unexpected input encountered!
Enter a number: 6abc
Unexpected input encountered!
Enter a number: 6
Input was valid.
The number is: 6
Other answers give the right low-level details, so I'll limit myself to a higher-level: First, analyse what you expect each input line to look like. Try to describe the input with a formal syntax - with luck, you will find it can be described using a regular grammar, or at least a context-free grammar. If a regular grammar suffices, then you can code up a finite-state machine which recognizes and interprets each command-line one character at a time. Your code will then read a line (as explained in other replies), then scan the chars in the buffer through the state-machine. At certain states you stop and convert the substring scanned thus far to a number or whatever. You can probably 'roll your own' if it is this simple; if you find you require a full context-free grammar you are better off figuring out how to use existing parsing tools (re: lex and yacc or their variants).
In the book Practical C Programming, I find that the combination of fgets() and sscanf() is used to read input. However, it appears to me that the same objective can be met more easily using just the fscanf() function:
From the book (the idea, not the example):
int main()
{
int age, weight;
printf("Enter age and weight: ");
char line[20];
fgets(line, sizeof(line), stdin);
sscanf(line, "%d %d", &age, &weight);
printf("\nYou entered: %d %d\n", age, weight);
return 0;
}
How I think it should be:
int main()
{
int age, weight;
printf("Enter age and weight: ");
fscanf(stdin, "%d %d", &age, &weight);
printf("\nYou entered: %d %d\n", age, weight);
return 0;
}
Or there is some hidden quirk I'm missing?
There are a few behavior differences in the two approaches. If you use fgets() + sscanf(), you must enter both values on the same line, whereas fscanf() on stdin (or equivalently, scanf()) will read them off different lines if it doesn't find the second value on the first line you entered.
But, probably the most important differences have to do with handling error cases and the mixing of line oriented input and field oriented input.
If you read a line that you're unable to parse with sscanf() after having read it using fgets() your program can simply discard the line and move on. However, fscanf(), when it fails to convert fields, leaves all the input on the stream. So, if you failed to read the input you wanted, you'd have to go and read all the data you want to ignore yourself.
The other subtle gotcha comes in if you want to mix field oriented (ala scanf()) with line oriented (e.g. fgets()) calls in your code. When scanf() converts an int for example, it will leave behind a \n on the input stream (assuming there was one, like from pressing the enter key), which will cause a subsequent call to fgets() to return immediately with only that character in the input. This is a really common issue for new programmers.
So, while you are right that you can just use fscanf() like that, you may be able to avoid some headaches by using fgets() + sscanf().
The problem with only using fscanf() is, mostly, in error management.
Imagine you input "51 years, 85 Kg" to both programs.
The first program fails in the sscanf() and you still have the line to report errors to the user, to try a different parsing alternative, to something;
The second program fails at years, age is usable, weight is unusable.
Remeber to always check the return value of *scanf() for error checking.
fgets(line, sizeof(line), stdin);
if (sscanf(line, "%d%d", &age, &weight) != 2) /* error with input */;
Edit
With your first program, after the error, the input buffer is clear; with the second program the input buffer starts with YEAR...
Recovery in the first case is easy; recovery in the second case has to go through some sort of clearing the input buffer.
There is no difference between fscanf() versus fgets()/sscanf() when:
Input data is well-formed.
Two types of errors occur: I/O and format. fscanf() simultaneously handles these two error types in one function but offers few recovery options. The separate fgets() and sscanf() allow logical separation of I/O issues from format ones and thus better recovery.
Only 1 parsing path with fscanf().
Separating I/O from scanning as with fgets/sscanf allows multiple sscanf() options. Should a given scanning of a buffer not realize the desired results, other sscanf() with different formats are available.
No embedded '\0'.
Rarely does '\0' occurs, but should one occur, sscanf() will not see it as scanning stops with its occurrence, whereas fscanf() continues.
In all cases, check results of all three functions.