Peter Eisentraut wrote:
-Wformat-security warns aboutprintf(var); but not about printf(var, a);I don't understand that; the crash or exploit potential is pretty much the same in both cases.
Not sure this is the reason, but in the first case any risk is trivially avoided by using puts() or printf("%s", var) instead. So printf(var) is almost certainly not what you mean.
I think that's a reasonable warning to have enabled, whereas the other one is more of a "try it sometime, you might find something" kind of warning.
Jeroen -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
