cross-posted from: https://programming.dev/post/10497245

Hi,

For websites I’ve always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.

It’s easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.

On the topic I’ve this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense

But if you have better documentation feel free to share :)

Thanks

  • lurch (he/him)
    link
    fedilink
    English
    arrow-up
    18
    ·
    9 months ago

    even though it’s okay to forbid characters in user names for convenience, if you forbid them in order to not have to escape them, you’re basically building unintentional backdoors. every user input that goes to DB or shells must be escaped. otherwise you may miss something or an update introduces a new meaning for a character and you get hacked.