Tom Lane <tgl@sss.pgh.pa.us> writes:
> FWIW, I think that Java clients don't need to worry about those security
> issues. It's not possible for Java to emit an invalidly-coded UTF8
> string, is it? I thought that the internal representation of strings
> is UCS2 or UCS4, and if so, it would take some exceedingly broken
> code in the JVM for the output not to be valid UTF8.
It's UTF-16, just like Windows XP and above.
http://java.sun.com/developer/technicalArticles/Intl/Supplementary/
FYI there are two ways to output UTF8:
DataOutputStream.writeUTF()
outputs a non-standard UTF8, and is limited in size.
From 1.4:
Charset.forName("UTF-8")....encode()
outputs standard UTF8