Security best practices in C/C++

During the design and development of your app, there are certain programming practices that you should consider. These practices help to protect your app, as well as other apps and user data, from security vulnerabilities.

Function safety

You can avoid some common programming issues by using safer versions of C functions. The following table lists unsafe functions and their safer versions (if available), as well as additional considerations for making some functions safer to use. For more information, see the C Library reference.

Unsafe functions Preferred functions Comments



fgets() reads a string of characters from the stream and stores them in the specified array. Use fgets() instead of gets() because it allows you to specify the length of the buffer to store the string in. gets() receives a pointer to an array, but because the size of the array is not specified, a buffer overflow attack may be possible.



getcwd()  returns the name of the current working directory.  Use getcwd() instead of getwd() because it allows you to specify the size of the buffer where the null-terminated name of the current working directory is placed. The maximum size for the buffer parameter of getcwd() is PATH_MAX + 1 bytes.



This function resolves a path. If you use realpath(), ensure the function's resolved_path parameter is large enough to handle the data.

scanf() family of functions


These functions scan formatted input. If you use these functions, do not send data to a buffer without controlling the maximum length of the arguments.

sprintf() and vsprintf()

snprintf() and vsnprintf()

snprintf() and vsnprintf() write formatted output to a character array, up to a given maximum number of characters. Both functions place a NUL character at the end of the generated character string.

Use snprintf() instead of sprintf() because it requires you to specify the maximum number of bytes to use in the buffer. Use vsnprintf() instead of vsprintf() because it checks the length of a string and can help you avoid buffer overruns.

strcpy() and strncpy()

strcat() and strncat()

strlcpy() and strlcat()

strlcpy() copies strings and strlcat() concatenates strings. The strlcpy() and strlcat() functions are designed to be safer, more consistent, and less error-prone replacements for strncpy() and strncat().

strlcpy() and strlcat() take the full size of the buffer (not just the length) and are guaranteed to NUL-terminate the result (as long as the size is larger than 0 or, in the case of strlcat(), as long as there's at least one byte free in the destination string).

The "wide" versions of these functions are also dangerous. There is no alternate version of wcscpy() that allows you to specify the size of the buffer. wcsncpy() does not necessarily NUL-terminate the output. You must ensure that the output buffer is NUL-terminated.

Last modified: 2015-04-16

Got questions about leaving a comment? Get answers from our Disqus FAQ.

comments powered by Disqus