Issue With Code: Format string is not a string literal
IphoneObjective CIphone Problem Overview
> Possible Duplicate:
> SnowLeopard Xcode warning: “format not a string literal and no format arguments”
I am getting the following issue for this line of code.
"Format string is not a string literal (potentially insecure)"
NSLog([NSString stringWithFormat:@"%@", entered]);
Any suggestions?
Iphone Solutions
Solution 1 - Iphone
The compiler wants us to use an NSString constant for the format string (the first argument to NSLog
) because it prevents a fairly well-known exploit that could potentially violate security. So for example, you could change the code you posted as follows to keep the compiler happy:
NSLog(@"%@", [NSString stringWithFormat:@"%@", entered]);
EDIT
And of course, the above could (and should) simply be written as follows:
NSLog(@"%@", entered);
Nature of Security Exploits
> Uncontrolled format string[1] is a type of software vulnerability,
> discovered around 1999, that can be used in security exploits.
> Previously thought harmless, format string exploits can be used to
> crash a program or to execute harmful code. The problem stems from the
> use of unchecked user input as the format string parameter in certain
> C functions that perform formatting, such as printf()
. A malicious
> user may use the %s
and %x
format tokens, among others, to print data
> from the stack or possibly other locations in memory. One may also
> write arbitrary data to arbitrary locations using the %n
format token,
> which commands printf()
and similar functions to write the number of
> bytes formatted to an address stored on the stack.
> A typical exploit
> uses a combination of these techniques to force a program to overwrite
> the address of a library function or the return address on the stack
> with a pointer to some malicious shellcode. The padding parameters to
> format specifiers are used to control the number of bytes output and
> the %x
token is used to pop bytes from the stack until the beginning
> of the format string itself is reached. The start of the format string
> is crafted to contain the address that the %n
format token can then
> overwrite with the address of the malicious code to execute.
Source: Wikipedia Uncontrolled Format String
[1]: http://cwe.mitre.org/data/definitions/134.html "CWE-134: Uncontrolled Format String". Common Weakness Enumeration. MITRE.
Solution 2 - Iphone
Here is the solution.
Try with
NSLog(@"%@",entered);
because NSLog can also do formatting for you...
Solution 3 - Iphone
Try:
NSLog(@"%@",[NSString stringWithFormat:@"%@",entered]);
Hope this helps you. :)