Mismatch between the format specifiers and count and type of values results in undefined behavior and possibly program crash. This fundamental flaw created an entire class of attacks Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits
Shanna McCullough - FAQ - IMDb
[1] originally thought harmless, format string exploits can be used to crash a program or to execute harmful code
The problem stems from the use of unchecked user input as the format string parameter in certain c functions that perform formatting, such as printf.
Some shells implement the command as builtin and some provide it as a utility program [2] the command has similar syntax and semantics as the library function The command outputs text to standard output [3] as specified by a format string and a. String interpolation is an alternative to building string via concatenation, which requires repeat quoting and unquoting [2] or substituting into a printf format string, where the variable is far from where it is used
Consider this example in ruby Apples = 4 puts i have #{apples} apples. Most of the c file input/output functions are defined in <stdio.h> (or in the c++ header cstdio, which contains the standard c functionality but in the std namespace). It can take one or more arguments, where the first argument is a string to be written
This string can contain special formatting codes which are replaced by items from the remainder of the arguments
For example, an integer can be printed using the %d formatting code, e.g. Printf () family of routines, for spoiling the execution stack when the format string does not match the arguments given
