Difference between strcpy & strcpy_s
can someone please explain to me whats the difference between these two if there is any?
on my current assignment I've done everything correctly, however one= one of my lines i receive an error message error C4996 'strcpy': This function or variable may be unsafe.
Consider using strcpy_s instead. To disable deprecation,
use _CRT_SECURE_NO_WARNINGS. See online help for details
why does it display this message and when i change strcpy to strcpy_s it didn't receive ad error message.
Im currently using visual studios.
can somebody please explain to me why this happens?
on my current assignment I've done everything correctly, however one= one of my lines i receive an error message error C4996 'strcpy': This function or variable may be unsafe.
Consider using strcpy_s instead. To disable deprecation,
use _CRT_SECURE_NO_WARNINGS. See online help for details
why does it display this message and when i change strcpy to strcpy_s it didn't receive ad error message.
Im currently using visual studios.
can somebody please explain to me why this happens?
MS went on a "these standard functions aren't safe!" rampage a couple years ago and "deprecated" several standard functions, replacing them with _s ("safe") alternatives.
strcpy is potentially unsafe because it can lead to buffer overflow if you try to copy a string to a buffer that is not large enough to contain it:
strcpy_s is "safer" because you have to explicitly specify the size of the target buffer, so the function will not overflow:
The downside to this is that strcpy_s is non-standard and MS specific... and therefore if you write code to use it, your code will not be portable.
And truncating string data, while better than overflowing a buffer, is still bad and you should not write code in which this situation would ever come up (ie: you shouldn't be calling strcpy OR strcpy_s unless you're already sure the buffer is large enough to hold the string).
So personally... I define _CRT_SECURE_NO_WARNINGS in all my projects to shut these warnings up. Though I rarely use these functions anyway as C++'s std::string is not only safer than both of them, but also is much easier to use.
strcpy is potentially unsafe because it can lead to buffer overflow if you try to copy a string to a buffer that is not large enough to contain it:
|
|
strcpy_s is "safer" because you have to explicitly specify the size of the target buffer, so the function will not overflow:
|
|
The downside to this is that strcpy_s is non-standard and MS specific... and therefore if you write code to use it, your code will not be portable.
And truncating string data, while better than overflowing a buffer, is still bad and you should not write code in which this situation would ever come up (ie: you shouldn't be calling strcpy OR strcpy_s unless you're already sure the buffer is large enough to hold the string).
So personally... I define _CRT_SECURE_NO_WARNINGS in all my projects to shut these warnings up. Though I rarely use these functions anyway as C++'s std::string is not only safer than both of them, but also is much easier to use.
According to Wikipedia, strcpy_s *is* a standard:
strcpy_s - C (2011) and ISO/IEC WDTR 24731
http://en.wikipedia.org/wiki/C_string_handling
And indeed it can be found here:
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
I realize it's not in wide deployment at this time, but I wonder what the future will hold for it? Presumably we should start seeing it showing up in c++11 stdlib.
All that said, I agree that for portability strcpy_s should be avoided. If necessary, grab a copy of the BSD implementation of strlcpy.c and use it instead. It is equally safe, freely available, and more powerful (i.e. in case of truncation it tells you how many characters *would* have been written, which provides a means to allocate a right-sized buffer). The C standard would do well to pick it up, so people stop using strncpy (which doesn't behave as commonly expected - you want to write a 10 char string to a 1MB buffer? Surprise - you just wrote 1MB of data).
strcpy_s - C (2011) and ISO/IEC WDTR 24731
http://en.wikipedia.org/wiki/C_string_handling
And indeed it can be found here:
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
I realize it's not in wide deployment at this time, but I wonder what the future will hold for it? Presumably we should start seeing it showing up in c++11 stdlib.
All that said, I agree that for portability strcpy_s should be avoided. If necessary, grab a copy of the BSD implementation of strlcpy.c and use it instead. It is equally safe, freely available, and more powerful (i.e. in case of truncation it tells you how many characters *would* have been written, which provides a means to allocate a right-sized buffer). The C standard would do well to pick it up, so people stop using strncpy (which doesn't behave as commonly expected - you want to write a 10 char string to a 1MB buffer? Surprise - you just wrote 1MB of data).
Last edited on
Topic archived. No new replies allowed.