is Delphi vulnerable to Buffer overflow attack?
MOST languages are susceptible to buffer overflow attacks. A buffer overflow is a coding bug, not a language defect. For example, in Delphi:
var
buf: array[0..0] of Byte;
i: Integer;
begin
Move(buf, i, sizeof(i)); // buffer overflow!
PInteger(@buf)^ := i; // buffer overflow!
end;
MOST languages will let you shoot yourself in the foot, if you are not careful. There is only so much hand-holding a compiler can do. Not everything can be avoided at compile-time. Programming is not just about writing code that compiles, but also about writing code that acts correctly and responsibly at runtime.
SOME languages may wrap buffers in such a way that bounds checking is performed at runtime, mitigating the risk of buffer overflows. Delphi is not one of those languages, since it allows you to operate directly on raw memory, so you can pretty much do whatever you want (well, whatever the underlying OS lets you do, anyway). And this is certainly true for Pascal strings.
I read some pages which mentioned Delphi is secure to that vuln because "Delphi can use Pascal strings as well as generic windows strings (PChar).
Delphi has no features to avoid all possible kinds of buffer overflows. But, if you write your code to use buffers correctly and sanely, overflows are not likely to happen. This is not limited to just strings, either.
When interfacing with Win API there is no other option except using Pchar". is that true?
It depends on the particular API. Most use simple null-terminated PChar strings, yes. But some use UNICODE_STRING records instead, which use WideChar buffers that are not guaranteed to be null-terminated. Some use ActiveX/COM BSTR (Delphi WideString) strings instead.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
