Did you know: using ToLower on a Unicode text can cause a security problem?
Posted by Igor Moochnick on 01/26/2008
Recently watched the latest DnrTV show #97 (love them!) with Kathleen Dollard (check her blog Leaning Into Windows). Great show! Kathleen went through a lot of things that are rarely used in the day-to-day projects but, if overlooked, can cause a serious problem and put the whole project/product at risk. Here are 2 that are really worth remembering:
1. In a product that works with Unicode strings (Localized) and do a lot of string comparisons, it’s better to use ToUpper than ToLower. ToUpper will not work correctly for a couple of languages, but ToLower, not only fail for more languages, but, also, can expose a bunch of security problems within Unicode implementation.
2. Do not write ANY code that changes variables in a partial method call. If a partial method implementation will be removed – such code will be removed as well and will cause an unpredictable result. To understand this check out the following code snippet:
Let’s say that a=1 and b=2. If the PrintNum method will have a declaration, then the AddWithIncrement function will return 4. On the other hand, if the declaration of PrintNum will be removed, the compiler will remove (ignore) the whole line #5 (PrintNum(a++)), hence the a++ will not be executed and AddWithIncrement function will return 3.
So, be careful, you have been warned!