The Unicode standard is beside the point. There is lots of code that does not handle charsets and encodings correctly, which can open vulnerabilities to metacharacter injection. (Examples of this class of problem are SQL injection, XSS and format string exploits.)
I can't agree. SQLite itself wouldn't be vurnelable at all by accepting any UTF-16 string (including invalid ones). Certainly, it could cause problems to some applications using SQLite, but SQLite can't be responsible for poorly written applications using it, can it? Anyway, it certainly can't be called a bug if SQLite returns error when I try to prepare an SQL statement with invalid characters. However, it should be clear what SQLite considers as an invalid character, is it only an unpaired surrogate, anything that Unicode standard defines as a 'noncharacter' or even any character that currently isn't defined by Unicode standard (which would be pretty bad in my opinion)? Re. that 0xE000 character, should I submit a bugreport somewhere? Thanks, Jiri ----------------------------------------------------------------------------- To unsubscribe, send email to [EMAIL PROTECTED] -----------------------------------------------------------------------------