If you are using c++, why not avoid the whole mess and use std::string. The same example without any errors would look like this:

std::string prefix = "Sector_Data\\sector";
prefix += "0";
prefix += "\\"

no need to worry about buffer sizes and all that stuff. And if you have an API which takes a const char *, you can just use the .c_str() member;

some_c_api(prefix.c_str());

You can get rid of these warning by adding:

_CRT_SECURE_NO_WARNINGS

and

_SCL_SECURE_NO_WARNINGS

to your project's preprocessor definitions.

That's one of the string-manipulation functions in C/C++ that can lead to buffer overrun errors.

The problem is that the function doesn't know what the size of the buffers are. From the MSDN documentation:

The first argument, strDestination, must be large enough to hold the current strDestination and strSource combined and a closing '\0'; otherwise, a buffer overrun can occur.

strcat_s takes an extra argument telling it the size of the buffer. This allows it to validate the sizes before doing the concat, and will prevent overruns. See http://msdn.microsoft.com/en-us/library/d45bbxx4.aspx

To turn the warning off, you can do this.

#pragma warning(disable:4996)

btw, I strongly recommend that you use strcat_s().

There are two problems with strcat. First, you have to do all your validation outside the function, doing work that is almost the same as the function:

if(pDest+strlen(pDest)+strlen(pScr) < destSize)

You have to walk down the entire length of both strings just to make sure it will fit, before walking down their entire length AGAIN to do the copy. Because of this, many programmers will simply assume that it will fit and skip the test. Even worse, it may be that when the code is first written it is GUARANTEED to fit, but when someone adds another strcat, or changes a buffer size or constant somewhere else in the program, you now have issues.

The other problem is if pSrc and pDst overlap. Depending on your compiler, strcat may very well be simple loop that checks a character at a time for a 0 in pSrc. If pDst overwrites that 0, then you will get into a loop that will run until your program crashes.

Because it has no means of checking to see if the destination string (prefix) in your case will be written past its bounds. strcat essentially works by looping, copying byte-by-byte the source string into the destination. Its stops when it sees a value "0" (notated by '\0') called a null terminal. Since C has no built in bounds checking, and the dest str is just a place in memory, strcat will continue going ad-infinidium even if it blows past the source str or the dest. str doesn't have a null terminal.

The solutions above are platform-specific to your windows environment. If you want something platform independent, you have to wrangle with strncat:

strncat(char* dest, const char* src, size_t count)

This is another option when used intelligently. You can use count to specify the max number of characters to copy. To do this, you have to figure out how much space is available in dest (how much you allocated - strlen(dest)) and pass that as count.