On Thu, 2007-05-17 at 16:54 +0200, Jiri Hajek wrote: > > The Unicode standard is beside the point. There is lots of code > > that does not handle charsets and encodings correctly, which can > > open vulnerabilities to metacharacter injection. (Examples of > > this class of problem are SQL injection, XSS and format string > > exploits.) > > I can't agree. SQLite itself wouldn't be vurnelable at all by > accepting any UTF-16 string (including invalid ones). Certainly, it > could cause problems to some applications using SQLite, but SQLite > can't be responsible for poorly written applications using it, can it? > > Anyway, it certainly can't be called a bug if SQLite returns error > when I try to prepare an SQL statement with invalid characters. > However, it should be clear what SQLite considers as an invalid > character, is it only an unpaired surrogate, anything that Unicode > standard defines as a 'noncharacter' or even any character that > currently isn't defined by Unicode standard (which would be pretty bad > in my opinion)? > > Re. that 0xE000 character, should I submit a bugreport somewhere?
You already did. Thanks. http://www.sqlite.org/cvstrac/chngview?cn=4017 In general, formal bug reports can be submitted by clicking [Ticket] on this page: http://www.sqlite.org/cvstrac/ Dan. > Thanks, > Jiri > > ----------------------------------------------------------------------------- > To unsubscribe, send email to [EMAIL PROTECTED] > ----------------------------------------------------------------------------- > ----------------------------------------------------------------------------- To unsubscribe, send email to [EMAIL PROTECTED] -----------------------------------------------------------------------------
