Jump to content
MakeWebGames

Usernames - not allowing special chars

Zettieee

By Zettieee
in General Discussion

 Share

Recommended Posts

Zettieee Newbie

Zettieee

Posted
Posted

Hey guys. So recently someone I know told me people can have special chars in their usernames.

Some of these special chars are offense and shouldn't be allowed.

On register you need to add ctype_alnum(); around the username input.

Also on username change.

Link to comment
Share on other sites
rockwood Contributor

rockwood

Posted
Posted

Yes: to avoid having to escape special characters. Lazy programmers will just drop what the user types, straight into the code somewhere and this is what leads to injection attacks.

Even if it's not used maliciously, allowing the user to type characters that will conflict somewhere else can be more hassle than necessary. For example, if you decide to create a filesystem directory per user, to store their uploads in, then the username must conform to directory naming rules on that OS (e.g. no \/:*?"<>| on Windows).

Once you've avoided clashes like the directory naming one, and stripped out "';% and // to avoid injection attacks, you have removed most punctuation, and "why does someone even need punctuation in their user name"?

It was far easier to write a quick regex to validate usernames against [a-zA-Z0-9_] and be done with it, than faff about with figuring out all the possible punctuation that will not clash, or mapping them to other characters in some way.

Then, like many things in computing, as soon as enough people start having just letters, numbers and underscores for usernames, and people start making usernames to that spec, it became the de facto standard and self perpetuates!

  • Like 1
Link to comment
Share on other sites
Dave Community Regular

Dave

Posted
Posted
Yes: to avoid having to escape special characters. Lazy programmers will just drop what the user types, straight into the code somewhere and this is what leads to injection attacks.

Even if it's not used maliciously, allowing the user to type characters that will conflict somewhere else can be more hassle than necessary. For example, if you decide to create a filesystem directory per user, to store their uploads in, then the username must conform to directory naming rules on that OS (e.g. no \/:*?"<>| on Windows).

Once you've avoided clashes like the directory naming one, and stripped out "';% and // to avoid injection attacks, you have removed most punctuation, and "why does someone even need punctuation in their user name"?

It was far easier to write a quick regex to validate usernames against [a-zA-Z0-9_] and be done with it, than faff about with figuring out all the possible punctuation that will not clash, or mapping them to other characters in some way.

Then, like many things in computing, as soon as enough people start having just letters, numbers and underscores for usernames, and people start making usernames to that spec, it became the de facto standard and self perpetuates!

Source: http://stackoverflow.com/questions/2053335/what-should-be-the-valid-characters-in-usernames#7875696

If you're going to steal other peoples posts on other sites, at least have the decency to attribute the original source.

Link to comment
Share on other sites
Guest

Guest

Posted
Posted
Yes: to avoid having to escape special characters. Lazy programmers will just drop what the user types, straight into the code somewhere and this is what leads to injection attacks.

Even if it's not used maliciously, allowing the user to type characters that will conflict somewhere else can be more hassle than necessary. For example, if you decide to create a filesystem directory per user, to store their uploads in, then the username must conform to directory naming rules on that OS (e.g. no \/:*?"<>| on Windows).

Once you've avoided clashes like the directory naming one, and stripped out "';% and // to avoid injection attacks, you have removed most punctuation, and "why does someone even need punctuation in their user name"?

It was far easier to write a quick regex to validate usernames against [a-zA-Z0-9_] and be done with it, than faff about with figuring out all the possible punctuation that will not clash, or mapping them to other characters in some way.

Then, like many things in computing, as soon as enough people start having just letters, numbers and underscores for usernames, and people start making usernames to that spec, it became the de facto standard and self perpetuates!

This is totally irrelavant, this has nothing to do with injection or attacks, just simply offensive names.

Link to comment
Share on other sites
sniko Apprentice

sniko

Posted
Posted
They should have been fixed I would have thought?

On already established run-by-people-who-don't-care games? I think not.

Oh, and don't forget the illegal run games, who have v2 from release day, and can't upgrade - assuming new source isn't "leaked", which I think it is.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...