Should you allow username to use Apostrophe (aka quotes )
Should you allow username to use Apostrophe (aka quotes )
Hi,
For websites I've always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.
It's easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.
On the topic I've this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense
But if you have better documentation feel free to share :)
Thanks
You're viewing a single thread.
Any field in a DB can be vulnerable to SQL injection. Filtering out characters is a terrible way to mitigate that attack, you should be using prepared queries where it does not matter what chars you have in your username or password. You should never form a query with string concatenation.
You may want to limit chars in a username to ones allowed in URLs (or even ones that don't need escaping) if you ever want it to appear in a URL though. Or any other places the user name might be used, but a entry in a DB should not matter.
Another good reason to filter characters is based on what people expect. You don't want people to be making accounts like OfficialSiteSupport'
There are a lot of edge case characters around visually indistinguishable names. If that is a concern usernames should use a restricted known character sets instead of trying to block specific characters. You likely should also treat lookalike characters as equivalents when checking for username overlap.
you should be using prepared queries where it does not matter what chars you have in your username or password
Can you elaborate this part given following pseudocode in python
# Define POST variables uname = request.POST['username'] passwd = request.POST['password'] # SQL query vulnerable to SQLi sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’” # Execute the SQL statement database.execute(sql)How can I avoid string concatenation?
I'm trying to understand what prepared queries are.