First of all, never use a naked %s: you're making it trivial for a malicious user to execute arbitrary code by giving our program specially crafted input. If you let me provide input to this program running on your computer, I could have your compiler email me your passwords. Or just shut down.
Always use the size of the array minus one (to give space for the terminting null)
scanf("%9s", input); or, if you really want to see a &, scanf("%9s", &input[0]); (it's the same thing, just written more verbosely)
using the & the way you tried using it (&input) produces a pointer to the whole array, but scanf expects a pointer to a single character, the first character in an array. The documentation for scanf should mention that. &input[0] is what it expects, and C has a shortcut for that, just writing input in a situation where array is not acceptable, makes the compiler generate &input[0] automatically.
PS: there's no problem using %s with something like sscanf(), where you know your input. But user-supplied input cannot be assumed to be safe. That's why gets() was removed from C.
&input[0] is pointing at one spot in the array. scanf(), when processing a %s, writes to that spot, then to the next spot in RAM, then to the next spot, and so on, as long as there's non-whitespace input. That's just what it does.
If the user typed 100 letters, they will all be written to RAM at successive locations that begin with input[0], even though your buffer was only big enough to hold the first 10 of them. The remaining 90 will trample over other variables and control structures. That's a buffer overflow. And if someone comes in and triggers it with input that is designed to execute code, that's a buffer overflow exploit.
Ok thank you so much for being able to clear things up in a way that i understand. I now understand scanf more and learned about security at the same time. Out of curiosity, what would input that was designed to execute code look like?