why making a user registration must be regular?

Question

hello, everyone.

I'm programming a user registration. However, I found a charactor limiting to 'username' from sample codes, such as just '.', ''', '-' are accepted, no space or other blank, etc.

Are those restrictions necessary?

I'm using MySQL+PHP. If I adopt the following several ways:

1. change the collation of the column to 'utf8_general_ci';
2. pull in the function 'mysql_escape_string' or 'mysql_real_escape_string' to PHP;
3. create a relation table about username <-> userID (the 'username' is what the client input, userID is a INT number.). As well as just use 'userID' in the database, but 'username' only display in HTMLs.

Do I really need a regular expression?

Thank you for your help.

---

PS: I'm a Chinese, so Chinese characters are required.

Answer 1

it's up to you, but using mysql_real_escape_string should be fine in my opinion (and I'm pretty paranoid)

Answer 2

Those restrictions are not neccessary, however you must ensure, that username is a valid and unique string (with or without regex)

when it comes to stripping vulnerable characters from strings and mysql injection I would advice to use Mysqli extension for prepared statements, which takes care of escaping and you don't have to escape every string manually

Answer 3

Since this is a web app, apart from using mysql_real_escape_string, I would also recommend stripping or disallowing anything that can construct HTML. Generally forbidding "<" and ">" is enough.

You really wouldn't want some user to enter their name as:

<script src=http://malicious/script.js&gt;&lt;/script&gt;

The alternative solution is to use htmlspecialchars when outputting data to your page.