Editing Code injection (section)

=== Format specifier injection ===
{{Main|Uncontrolled format string}}Format string bugs appear most commonly when a programmer wishes to print a string containing user-supplied data. The programmer may mistakenly write <code>printf(buffer)</code> instead of <code>printf("%s", buffer)</code>. The first version interprets <code>buffer</code> as a format string and parses any formatting instructions it may contain. The second version simply prints a string to the screen, as the programmer intended. Consider the following short [[C (programming language)|C]] program that has a local variable char [[Array (data structure)|array]] <code>password</code> which holds a password; the program asks the user for an integer and a string, then echoes out the user-provided string.<syntaxhighlight lang="c">
  char user_input[100];
  int int_in;
  char password[10] = "Password1";

  printf("Enter an integer\n");
  scanf("%d", &int_in);
  printf("Please enter a string\n");
  fgets(user_input, sizeof(user_input), stdin);

  printf(user_input); // Safe version is: printf("%s", user_input);
  printf("\n");

  return 0;
</syntaxhighlight>If the user input is filled with a list of format specifiers, such as <code>%s%s%s%s%s%s%s%s</code>, then <code>printf()</code>will start reading from the [[Stack (abstract data type)|stack]]. Eventually, one of the <code>%s</code> format specifiers will access the address of <code>password</code>, which is on the stack, and print <code>Password1</code> to the screen.