As far as I can tell (which, I'll be the first one to admit, doesn't count for that much) this code is so simple that there are no holes that could be exploited.
char * query = getenv("QUERY_STRING"); char * pair; char * key; double value; if(query && strlen(query) > 0) { pair = strtok(query, "&"); while(pair) { key = (char *)malloc(strlen(pair)+1); sscanf(pair, "%[^=]=%lf", key, &value); if(!strcmp(key, "lat")) { lat = value; } else if(!strcmp(key, "lng")) { lng = value; } free(key); pair = strtok((char *)0, "&"); } }