For my first php website, I’m currently allowing all characters to be used in usernames. When they are inserted into the database, I use addslashes(), and when they are retrieved from the database, I use stripslashes(), and then I use htmlentities() to cause them to display properly on the page. I haven’t had any problems so far, but are there any characters that I should disallow in usernames for any reason? HTML, CSS, and PHP are the only languages I’m fluent in, and I’m concerned that in the future I will come across functions in PHP or Java or some other language that will have difficulty parsing certain characters.
Share
A number of characters could cause problems:
Obviously there are the characters with special meaning in html and SQL, which you have dealt with.
Other possibilities are:
For searching users, regular expression characters/wildcards, eg. *, ?
If you want to give users an email address, emails only support alphanumeric characters, underscores and non-adjacent dots, and many systems assume emails are case-insensitive (although not part of the specification)
If you want to give users a profile page where the url contains their username, many characters will needed to be encoded properly.
Non-ascii characters could cause problems, depending on how usernames are stored (if they are stored in fields supporting UTF-8, then any character is supported)