Allowable Characters for Username?

[doubledee]

Should I restrict what characters a new User can use for his/her "Username" or let them type in anything as long as it is 8-30 characters?

 

I caught hell here before for trying to restrict things like Name to the characters [A-Z \'.-]

 

 

Debbie

 

[blacknight]

[a-zA-Z]{8,30} will work in preg match will alow any char a-z upper and lower min 8 max 30

 

[doubledee]

[a-zA-Z]{8,30} will work in preg match will alow any char a-z upper and lower min 8 max 30

 

But that does NOT answer my question...

 

 

Debbie

 

[blacknight]

limiting there usernames is a good idea and not allowing char character that could be used as a sql or database query is allways a good thing

 

[doubledee]

limiting there usernames is a good idea and not allowing char character that could be used as a sql or database query is allways a good thing

 

I'm using Prepared Statements, so that isn't an issue.

 

It just seems like you could get a kid who types in ~!@#$%^&*()_+ for a Username which would be obnoxious at the very least...

 

 

Debbie

 

[litebearer]

unless the potential username is crude/rude/socially-unacceptable - most other users could care less if someone decided to label themself as a fool

[AyKay47]

Should I restrict what characters a new User can use for his/her "Username" or let them type in anything as long as it is 8-30 characters?

 

I caught hell here before for trying to restrict things like Name to the characters [A-Z \'.-]

 

 

Debbie

 

what point of view should this be from?

Personal opinion, security, etc...

If this is a user handle, really the allowed character set is up to you.

If this is for an actual name, obviously a validity check should be in place.

[doubledee]

Should I restrict what characters a new User can use for his/her "Username" or let them type in anything as long as it is 8-30 characters?

 

I caught hell here before for trying to restrict things like Name to the characters [A-Z \'.-]

 

 

Debbie

 

what point of view should this be from?

Personal opinion, security, etc...

If this is a user handle, really the allowed character set is up to you.

If this is for an actual name, obviously a validity check should be in place.

 

Just from a general design standpoint.

 

"Username" is really just a "pen-name", so I suppose that I can be more lax on what is allowed.

 

I just tend to be formal, and was wondering if I allowed !@#$%^&*()_+ as a Username if that would come back to bite me?! 

 

It is possible that I could later expand Username's purpose, like allowing Users to log in using either "Email" or "Username".

 

Since it is unique, it might also be used to look Users up in queries, although like I said, I am using Prepared Statements.

 

And this is what I do for Form Validation...

// Validate Username.
if (empty($trimmed['username'])){
	// No Username.
	$errors['username'] = 'Enter your Username.';
}else{
	// Username Exists.
	if (preg_match('~(?x)								# Comments Mode
				^								# Beginning of String Anchor
				(?=.{8,30}$)						# Ensure Length is 8-30 Characters
				.*								# Match Anything
				$								# End of String Anchor
				~i', $trimmed['username'])){
		// Valid Username.

		// ******************************
		// Check Username Availability.	*
		// ******************************

 

 

Debbie

 

[codebyren]

Why not just go with what people are used to?  Look at twitter, this forum and, well, any site similar to the one that you are working on as an example.  These get by with restricting usernames to something like 15 alphanumeric characters and an underscore or two.  And since several hundred million people have been ok with that, I think you should run with it.

[AyKay47]

One thing that I do notice is the regex that you are using to filter usernames.

Really, a regex of this nature is not necessary if you are allowing any character through.

Simply using strlen for this to check the strings length would be a quicker way of doing it.

Also, comments in code should describe why something is being done, not what is being done. Things like this:

 

// Validate Username.
if (empty($trimmed['username'])){
	// No Username.
	$errors['username'] = 'Enter your Username.';
}else{
	// Username Exists.
	if (preg_match('~(?x) # Comments Mode
				^ # Beginning of String Anchor
				(?=.{8,30}$) # Ensure Length is 8-30 Characters
				.* # Match Anything
				$ # End of String Anchor
				~i', $trimmed['username'])){

 

Your comments are simply describing what you are doing, which we can already see from the code. What would be more helpful is why it is being done, if anything. This will make it easier for you or someone else to pick up your code at a later date and see why certain code is in place.

Just some things that I noticed.

[Psycho]

While we're on the subject, is there a way to ensure that the first letter of a name is captalized, and the rest lowercase?  Or is this best handled later on, when the name is being used and called from the DB.

 

That depends completely on the specific requirements of the specific data field you are working with. Generally, IMO, it is a bad idea to ever change a users data. If you are referring to a persons "real" name, there are people with legitimate names that have capital letters within them and some that don't have a capital as the first letter. If you do not want to allow users to submit values if the first character is not an uppercase letter you can reject the input and force them to make the correction. In addition, you can make the correction for them in the input field, but make them submit the change. But, if you have a field that would not be "changed" by modifying the case of the letters then you could either change the case when saving to the database or do it on-the-fly when presenting the data. The decision would likely be based upon whether you would EVER need the input in its original format. An example of this might be an email address. It would not change the meaning/usage of an email address if you wanted to set them all to lowercase letter. If that was a requirement of the application, I'd set them to lowercase when saving.

 

Again, there is no ONE answer. This thread is pointless in the fact that it can only be answered by the person responsible for the application. It all depends on the context of the values you are working with and the specific requirements of the application. However, based upon what characters will be supported there are other considerations (e.g. escaping characters based upon the output). But, if you are following good programming practices, you should do this on ALL data regardless of whether it can contain certain characters or not.

 

It just seems like you could get a kid who types in ~!@#$%^&*()_+ for a Username which would be obnoxious at the very least...

Obnoxious to who? If YOU don't like it, restrict it. That's your choice. Some sites restrict such characters and others do not. For example, this site allows many, if not all, special characters. It even allows, gasp, PHP code as a username such as: <?=$humour?>

[doubledee]

One thing that I do notice is the regex that you are using to filter usernames.

Really, a regex of this nature is not necessary if you are allowing any character through.

Simply using strlen for this to check the strings length would be a quicker way of doing it.

 

I agree, but realize that I took out a series of test from that snippet, so in its former context it was the better way to code things.

 

 

Also, comments in code should describe why something is being done, not what is being done.

 

Fair enough, but my website is a one-woman-show, so all comments are just for me so I know what is going on!

 

Thanks,

 

 

Debbie