As far as I can tell (which, I'll be the first one to admit, doesn't count for that much) this code is so simple that there are no holes that could be exploited.
char * query = getenv("QUERY_STRING");
char * pair;
char * key;
double value;
if(query && strlen(query) > 0) {
pair = strtok(query, "&");
while(pair) {
key = (char *)malloc(strlen(pair)+1);
sscanf(pair, "%[^=]=%lf", key, &value);
if(!strcmp(key, "lat")) {
lat = value;
} else if(!strcmp(key, "lng")) {
lng = value;
}
free(key);
pair = strtok((char *)0, "&");
}
}
