[notepad0x90]

The vulnerability class is hardly unique to sql. any program that constructs content to be processed by another program or sub-routine, where an attacker can control the content has the potential to exhibit such a vulnerability. A good example is format strings in C or cgi-scripts that call each other or run OS commands.

[WalterBright]

> A good example is format strings in C

The D programming language allows direct use of C printf. However, D checks the arguments against the format specifiers in the format string to make it memory safe.

The constant stream of bugs due to format/arguments is now history.

There is no reason why C and C++ compilers cannot do this, too.

[notepad0x90]

for static specifiers, I can see that. but for dynamically constructed format specifiers, especially where arrays to pointers/vargs are in use, is it possible to have a mitigation for that?

this pseudo-code as an example:

snprintf(fmt,userinputstring,args); printf(fmt,somearray);

[WalterBright]

Your suspicion is correct, the checks only work when the format string is a literal.

[gmerc]

Like any LLM