I’m programming a user registration. However, I found a charactor limiting to ‘username’ from sample codes, such as just ‘.’, ”’, ‘-‘ are accepted, no space or other blank, etc.
Are those restrictions necessary?
I’m using MySQL+PHP. If I adopt the following several ways:
- change the collation of the column to ‘utf8_general_ci’;
- pull in the function ‘mysql_escape_string’ or ‘mysql_real_escape_string’ to PHP;
- create a relation table about username <-> userID (the ‘username’ is what the client input, userID is a INT number.). As well as just use ‘userID’ in the database, but ‘username’ only display in HTMLs.
Do I really need a regular expression?
Thank you for your help.
PS: I’m a Chinese, so Chinese characters are required.
Since this is a web app, apart from using
mysql_real_escape_string, I would also recommend stripping or disallowing anything that can construct HTML. Generally forbidding “<” and “>” is enough.You really wouldn’t want some user to enter their name as:
<script src=http://malicious/script.js></script>The alternative solution is to use
htmlspecialcharswhen outputting data to your page.