With the fallowing code:

int main()
{
char input[10];

printf("\nEnter a word: ");
scanf("%s", &input);
printf("You entered %s", input);
return 0;
}

I get a funny warning

warning: format '%s' expects type 'char *', but argument 2 has type 'char (*)[10]'|
||=== Build finished: 0 errors, 1 warnings ===|

When I get rid of the & symbol the warning goes away, but every example I have seen on the internet uses the & symbol to point to the variable.

What way is the proper way?

First of all, never use a naked %s: you're making it trivial for a malicious user to execute arbitrary code by giving our program specially crafted input. If you let me provide input to this program running on your computer, I could have your compiler email me your passwords. Or just shut down.

Always use the size of the array minus one (to give space for the terminting null)

scanf("%9s", input); or, if you really want to see a &, scanf("%9s", &input[0]); (it's the same thing, just written more verbosely)

Or use C++ string I/O.

I will use the size from now on, but how in the world could you enter code into a running program and have it execute?

Also, why is using the & giving me a warning during compilation?

using the & the way you tried using it (&input) produces a pointer to the whole array, but scanf expects a pointer to a single character, the first character in an array. The documentation for scanf should mention that. &input[0] is what it expects, and C has a shortcut for that, just writing input in a situation where array is not acceptable, makes the compiler generate &input[0] automatically.

As for entering code into the running program -- see http://en.wikipedia.org/wiki/Buffer_overflow#Stack-based_exploitation

PS: there's no problem using %s with something like sscanf(), where you know your input. But user-supplied input cannot be assumed to be safe. That's why gets() was removed from C.

If it is pointing to just one spot of the array, how does it grab everything I type in.

Also thank you for informing me about the Bufferoverflow. Let me make sure I am understanding it right though.

"Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates."

Does that quote from your link mean that simple input like mine is not a problem?

&input[0] is pointing at one spot in the array. scanf(), when processing a %s, writes to that spot, then to the next spot in RAM, then to the next spot, and so on, as long as there's non-whitespace input. That's just what it does.

If the user typed 100 letters, they will all be written to RAM at successive locations that begin with input[0], even though your buffer was only big enough to hold the first 10 of them. The remaining 90 will trample over other variables and control structures. That's a buffer overflow. And if someone comes in and triggers it with input that is designed to execute code, that's a buffer overflow exploit.

Ok thank you so much for being able to clear things up in a way that i understand. I now understand scanf more and learned about security at the same time. Out of curiosity, what would input that was designed to execute code look like?

it would look like a bunch of gibberish, like %�|��[censored]�cmd.exe /c net user cubbi 12345 /add && net localgroup Administrators /add cubbi

Oh no wonder I didn't know how it worked at all.