Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Use Static Format Strings


What to Do

Don't allow user input in format strings. (Re-)Write code to guarantee that user input is never used in format strings.


An attacker who can control the contents of a format string may be able to execute arbitrary code.


Perform the following actions to ensure that user input is not used in format strings:

  1. Identify code that uses formatted input-output functions. The following is a list of formatted input-output functions:
  • NSLog
  • stringWithFormat
  • stringByAppendingFormat
  • initWithFormat
  • appendFormat
  • alertWithMessageText
  • informativeTextWithFormat
  • format
  • appendFormat
  • predicateWithFormat
  • sprintf
  • _snprintf
  • printf
  • fprintf
  • scanf
  • fscanf
  • sscanf
  • swprintf
  • wsprintfA
  • wsprintfW
  • vsprintf
  • vswprintf
  • _snwprintf
  • _vsnprintf
  • _vsnwprintf
  • vprintf
  • vwprintf
  • vfprintf
  • vwfprintf
  • fwscanf
  • wscanf
  • swscanf
  1. Avoid using formatted functions. Consider replacing formatted input-output functions with other functions, which are not prone to format string vulnerabilities.
  2. (Re-)Write code to exclude user input from format strings. Place user input in separate variables and pass it as variadic arguments to the formatted input-output functions, instead of allowing it in format strings.



Currently, there are no comments. Be the first to post one!
Post Comment
Website (optional)

Allowed tags: <a> link, <b> bold, <i> italics