This C library provides prepared statements for the system() function. It’s under the Apache license.
Maybe you can see the appeal of adopting something like this:
return systemf1("/bin/mymagicfunc %s", user_input);
but I’m wary of what looks like a lot of parsing and other junk. Most of the time I’ll just do this:
setenv("a",user_input,1);return system("/bin/mymagicfunc \"$a\"");
which is almost as convenient, has the same “security advantage” of systemf (handling spaces and special characters in user_input) and the further advantage of “a whole lot less code”, not to mention less code written by Cisco.
I agree with @geocar that the formatting bits are somewhat concerning. Especially since they use nonstandard format specifiers and so can’t take advantage of compiler warnings like -Wformat.