Seems strncmp
is usually recommended than strcmp
, what are the advantages? I think it could be related to security. If this is the case, is it still applicable if one of the input string is known to be literal constant, like "LiteralString"
?
UPDATE:
I mean under the same user scenario where whole strings need to be compared, and strncmp
can be used as below. I am wondering it makes sense or not.
strncmp(inputString, "LiternalString", strlen("LiternalString"));
The problem with strcmp
is that sometimes, if by mistake, arguments that are passed are not valid C-strings (meaning that p1 or p2 is not terminated with a null character i.e. not NULL-terminated String), then, strcmp continues comparing until it reaches non-accessible memory and crashes or sometimes results to an unexpected behaviour.
Using strncmp
you can limit the search, so that it doesn't reach non-accessible memory.
But, from that it should not be said that strcmp
is insecure. Both the functions works well in the way they are intended to work. Programmer should read man
page for that function before using it and must be sincere enough when passing parameters to such library functions.
You can also read THIS which contains an almost similar question.
strncmp
does not have "advantages over strcmp
"; rather they solve different problems. strcmp
is for determining if two strings are equal (and if not, possibly how to order/sort them with respect to each other). strncmp
is (mainly) for determining whether a string begins with a particular prefix. For example:
if (strncmp(str, "--option=", 9)==0)
will determine if str
begins with "--option="
. This cannot be achieved by strcmp
without either modifying the string to be checked (which may not be a valid operation) or making a useless copy of it. It also cannot be achieved with memcmp
unless you already know str
points to an object at least 9 bytes in length; otherwise the call to memcmp
would have undefined behavior.
There are other usage cases for strncmp
too, such as working with non-C-string data.
Just post an anti-strncmp use case here. Think about the following code.
#include <stdio.h>
#include <dirent.h>
int main()
{
//I want to list all files under current folder, include hidden files.
DIR *dir;
struct dirent *dp;
char * file_name;
dir = opendir(".");
while ((dp=readdir(dir)) != NULL) {
printf("debug: %s\n", dp->d_name);
if ( !strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..") )
//It doesn't work if you replace strcmp with strncmp here.
//if ( !strncmp(dp->d_name, ".", 1) || !strncmp(dp->d_name, "..", 2) )
{
} else {
file_name = dp->d_name;
printf("file_name: \"%s\"\n",file_name);
}
}
closedir(dir);
return 0;
}
int ret1, ret2;
char dev1[] = { "ABC" };
char dev2[4] = { "ABC" };
dev2[3] = 'D';
ret1 = strncmp(dev1,dev2,strlen(dev1)); // # of characters
ret2 = strncmp(dev1,dev2,sizeof(dev1)); // # of characters plus '\0'
assume: dev1 is null terminated and dev2 is probably not. ret1 = 0 (false positive result), rather than ret2=-1 (valid result)
fazit: strncmp is not just a safer way for strcmp. depends on how you make use of it.
i´d use strcmp on strings, and strncmp on substring search.
strcmp could lead to storage volation and segmentation fault in case where one of arguments is not null-terminated string. Take a look why you should use strncpy instead of strcpy. Consequences are unlikely to happen in strcmp, but issue is the same. strnxxx function family try to prevent reading/writing not acquired memory.
Disadvantage of using strn is extra compare and decrement operation on counter.
In few words: strncmp is safer then strcmp, but it is slower too.
I could see only one advantage, that strncmp will take slightly less time to execute than strcmp as we will always compare prefix of string to comapre rather than entire string.
I don't think that there is any security aspect involved in strcmp and strncmp algorithm. They are same except that in strncmp only first 'n' characters are compared.
strncmp is more secure than strcmp
same as strncpy and strcpy or strlen and strnlen, because strcmp compares until first zeroterminator is found. strncmp compares until first zeroterminator but maximum n characters. So if your string has a defined length it is better to use the strn*-functions.
See also
http://www.cplusplus.com/reference/cstring/strncmp/?kw=strncmp
来源:https://stackoverflow.com/questions/30190460/advantages-of-strncmp-over-strcmp