So if it doesn't provide privilege escalation and only allows you to access processes which you are running, then how is it really any different from any normal hooking? So yes, it's unpatchable in the same way deleting all the files in your own home directory in Unix is unpatchable.

Looking at the code as well... we were doing this stuff years ago to see what was being sent wrapped in SSL for reverse engineering purposes, because tcpdump or whatever couldn't read it.

A lot of places restrict the allowed characters because they're morons who don't understand SQL injection and think it's a way to avoid it. Ideally any character should be allowed that can be transferred over HTTP without breaking the hell out of things, which is everything which can be properly encoded.

I do trim passwords though, something old school jackasses think is bad, because after all, if there's a space at the beginning or end of a password, or a newline/return character, it must be on purpose, despite the fact that 99.9999999999% of the time it's because someone copy/pasted the password from an email or something and accidentally added on the space/\r/\n. Of course you can make the argument of never sending a password in an email (and we don't), but tell that to users who will do it all day long.

I also wrote a method to deal with "easy" passwords, things like repeating words, pattern recognition for phone numbers, birthdates, etc.