Issue With Code: Format string is not a string literal [duplicate]

Possible Duplicate:
SnowLeopard Xcode warning: “format not a string literal and no format arguments”

I am getting the following issue for this line of code.

"Format string is not a string literal (potentially insecure)"

NSLog([NSString stringWithFormat:@"%@", entered]);

Any suggestions?


The compiler wants us to use an NSString constant for the format string (the first argument to NSLog) because it prevents a fairly well-known exploit that could potentially violate security. So for example, you could change the code you posted as follows to keep the compiler happy:

NSLog(@"%@", [NSString stringWithFormat:@"%@", entered]);

EDIT

And of course, the above could (and should) simply be written as follows:

NSLog(@"%@", entered);

Nature of Security Exploits

Uncontrolled format string[1] is a type of software vulnerability, discovered around 1999, that can be used in security exploits. Previously thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack.

A typical exploit uses a combination of these techniques to force a program to overwrite the address of a library function or the return address on the stack with a pointer to some malicious shellcode. The padding parameters to format specifiers are used to control the number of bytes output and the %x token is used to pop bytes from the stack until the beginning of the format string itself is reached. The start of the format string is crafted to contain the address that the %n format token can then overwrite with the address of the malicious code to execute.

Source: Wikipedia Uncontrolled Format String

[1]: http://cwe.mitre.org/data/definitions/134.html "CWE-134: Uncontrolled Format String". Common Weakness Enumeration. MITRE.


Here is the solution.

Warning: "format not a string literal and no format arguments"

Try with

NSLog(@"%@",entered);

because NSLog can also do formatting for you...


Try:

NSLog(@"%@",[NSString stringWithFormat:@"%@",entered]);

Hope this helps you. :)