Re: [Newbie] [DG Scripts] Few questions for anyone.

From: George Greer (
Date: 06/27/02

On Thu, 27 Jun 2002, Mathew Earle Reuther wrote:

>I ran into a number of send_to_char calls which looked similar to this:
>send_to_char(buf, d->character)
>Which I then changed to:
>send_to_char(d->character, buf)

        send_to_char(d->character, "%s", buf);

There've been a number of security breaches in programs due to not having
the "%s" in there.  It's because "buf" can be instrumented to have any of
the printf formats by an attacker and the %n one writes to memory.

>Is that the correct method of writing those, or should d->character be
>simply ch as such:
>send_to_char(ch, buf)

Depends on if you have a 'struct char_data' (usually) or 'struct
descriptor_data' available.  Places with the descriptor tend to use

George Greer

   | FAQ: |
   | Archives: |
   | Newbie List:   |

This archive was generated by hypermail 2b30 : 06/25/03 PDT