Hacker News new | past | comments | ask | show | jobs | submit login

Still an order of magnitude easier not to shoot yourself in the foot in most higher level language.

Pretty sure you still have to use plain arrays and strcmp, what are these "safe" libraries you were going to use? Unless we are talking about C++ here?

Also C supports unicode fine (to the extent it supports strings) and REPL can't hardly be considered a requirement for web development considering Java, .NET and PHP* don't have REPL's.

*Looks like PHP has some now.




Pretty sure you still have to use plain arrays and strcmp, what are these "safe" libraries you were going to use? Unless we are talking about C++ here?

glib: https://en.wikipedia.org/wiki/GLib

There are others. Basically, if you wrap your dangerous C app in a thin, impenetrable layer of solid string processing and input validation, it's very manageable.

Valgrind and input fuzzing help considerably to work out any bugs.


> Still an order of magnitude easier not to shoot yourself in the foot in most higher level language.

I would argue that C's lack of robust string concatenation encourages most people to avoid concatenating strings at all costs. Most DB libraries support bound parameters, which would be much easier to use than constructing an arbitrary sql string in C. So, I would argue the tendency for a competent C programmer is to do the safe thing rather than the lazy thing other languages make easy that exposes you to SQL injections.

Along with that, most scripting languages are written in C. I know a lot of people who have written PHP extensions in C. This article seems to suggest that no one does any web development in C, when almost every large company I know of does so, even if it is just to speed up slow parts of their app by adding new functions to PHP.


> Pretty sure you still have to use plain arrays and strcmp, what are these "safe" libraries you were going to use?

So, thought it would be worth giving some examples. By far the lowest level solution are things like strlcpy & strlcat, which basically still live in a NULL terminated world by try not to be stupid about it:

http://www.gratisoft.us/todd/papers/strlcpy.html

There are some specifically targeting strings and making them both more efficient and safer:

http://bstring.sourceforge.net/

There's more sophisticated runtimes like glib or APR, which almost seem like they are trying to completely replace the C runtime, but they provide very clean memory management interfaces and string & blob/block abstractions that allow you to avoid having to worry about a buffer overflow.

Then there are solutions built on top of the likes of that. Things like the GGSK: http://gsk.sourceforge.net/

There's lots more, but it's late and I'm tired. ;-)


For strcmp, the safer strncmp version?

Also you should compile your app with apparmor and run it under grsecurity.

REPL like behaviour you can get with gdb. :)


> Still an order of magnitude easier not to shoot yourself in the foot in most higher level language.

There are some best practices that tend to help you to limit the risk a lot. Still... a lot of people do web development in JavaScript, and I'd cite it as a very strong exception to your assertion.

> Pretty sure you still have to use plain arrays and strcmp, what are these "safe" libraries you were going to use?

Pretty much all of the "NULL terminated" functions have a length terminated equivalent that you can (and should) use instead. There are also blob & string abstractions available that wrap arrays and strings in structs that have fields to track the size of the allocated space, with the side benefit of making C's evil type coercion a bit harder to bump into.

> Also C supports unicode fine

Particularly if you use ICU4C, C actually has the best unicode support out there (obviously there is ICU4J which gets merged into Java regularly, but often you get stuck with an old VM with an ancient version). It's actually kind of shocking how painful it is to have full unicode support with higher level languages that really ought to know better.

> and REPL can't hardly be considered a requirement for web development considering Java, .NET and PHP* don't have REPL's.

> *Looks like PHP has some now

Not only does PHP have one, but Java has since forever (http://www.beanshell.org/), and .NET really kind of does have a few semi-reasonable options (http://www.linqpad.net/, http://www.sliver.com/dotnet/SnippetCompiler/, http://www.mono-project.com/CsharpRepl, not to mention: http://technet.microsoft.com/en-us/library/bb978526.aspx).

Of course, so does C (http://root.cern.ch/drupal/content/cint, http://root.cern.ch/drupal/content/cling, http://www.softintegration.com/products/chstandard/, and arguably even things like https://code.google.com/p/picoc/ or http://ups.sourceforge.net/main.html can serve if you are desperate).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: