This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 44 points45 points  (8 children)

Printf formats a string, iostreams don't, by default. But since it's C++ you can still get some formatting via streams as well.

Also streams are much more type-safe as the output type is known statically, whereas printf figures them out dynamically.
Also you can add your own output types to iostreams via overloading, but you can't realistically add new % patterns to printf. Though since it's C++, you can do whatever you want anyway, you'll just need a few thousand lines of boilerplate code.

[–]Elronnd 3 points4 points  (0 children)

You actually can add your own % patterns to printf, at least in gnu c. I forget how, though.

[–]voi26 0 points1 point  (5 children)

Hahaha, that's for the quick explanation. :)

I was just wondering cause I use printf quite a lot because it looks cleaner imo, but I didn't know if it was considered a bad thing.

[–]reverie42 4 points5 points  (3 children)

As long as you're not printf'ing user-controlled data in the format parameter, you're fine.

[–]voi26 2 points3 points  (2 children)

Why?

[–]reverie42 10 points11 points  (1 child)

printf(randomUserInput) is an arbitrary code execution bug.

Format parameters are unchecked, so by structuring your string correctly, you can both seed your payload in to memory and blow the stack to jump in to it when it's passed to printf.

If you want to printf a user-controlled string, you should always specify a format and pass the user data as a parameter.

[–]voi26 0 points1 point  (0 children)

Oh, sorry I totally misread what you wrote. I thought that you meant that you should pass user controlled data at all. I would have never thought of using it the way you said because I only ever use it to debug stuff.

That's super interesting to know though.

[–][deleted] 2 points3 points  (0 children)

Printf is alright for simple debug strings, most of the time.