Women in Technology

Article:		Input Validation in C and C++
Subject:		Good for beginners, waste for experts
Date:		2003-07-26 23:55:30
From:		anonymous2
This Microsoft / Linux centric book looks good for beginners and a boring waste for experts. The assumptions made about strncpy - that programmers forget the destination string doesn't have a NULL all of the time is disconcerting - especially when K&R points that out specifically in the function definition. As for pushing all of the vendor technologies, I agree with the previous poster who basically says "buyer beware". This reads more like an advertisement that a guide to defensive programming. As a point, a shop I worked in wrote our own string class - with memory checking. Problem solved. Overall opinion - this book may be good for beginners, but experts will know all of the gotchas and be bored silly.

Showing messages 1 through 1 of 1.

• Good for beginners, waste for experts
  2003-07-28 15:35:35  Matt Messier | [View]
  
  
  Your statements clearly indicate to me that you have not even had a look at the book, but are instead basing your opinion of it on a single recipe presented here out of over 200 that make up the whole of the book. The recipe presented here takes up 7 pages out of a total of 737--hardly enough to base a recommendation on, whether that recommendation be either good or bad.
  
  1. I'm not sure how you came to the conclusion that the book is Microsoft / Linux centric, but it is neither. Linux and Microsoft Windows are covered, yes, but in general most all of the recipes apply to all platforms. We specifically cover Darwin, FreeBSD, Linux, NetBSD, OpenBSD, Solaris, and Windows.
  
  2. It's great and all that K&R point out how strncpy() is defined to work, but the reality is that many programmers (novice and expert both) misuse the function far too often, and it's a very real problem. We've made no assumptions about programmers misusing strncpy(). Check out the archives for mailing lists like bugtraq for yourself and count the instances of programmers making the same mistakes over and over again.
  
  3. We're not pushing any vendor technologies. We're not trying to sell anything. Every existing technology that we reference is freely available, and we simply point out that these technologies exist along with their pros and cons. It is true that we have some affiliation with some of the technologies referenced; however, there are many others with which we have no affiliation.
  
  Some of the recipes in the book may only be of interest to beginners, sure, but there is a wide selection of recipes that we hope will be of interest to all levels of expertise. We neither expect nor intend the whole of the book to be of interest to everyone. Because the book is written in a cookbook style, the reader can easily pick and choose the recipes that are of interest.
  
  Everyone likes to fancy themselves an expert, but the fact of the matter is that if everyone were an expert, the state of software security would not be what it is today. I firmly believe that there is something for everybody in this book--including you.
  
  You are certainly entitled to your opinion, but I encourage you to actually look at the book before passing judgment based on such a small excerpt from it. You might be surprised at what you find.