cross-posted from: https://programming.dev/post/10497245

Hi,

For websites I’ve always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.

It’s easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.

On the topic I’ve this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense

But if you have better documentation feel free to share :)

Thanks

  • sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    8 months ago

    For a username, your backend should only do simple CRUD:

    • create user
    • read password hash
    • update username (if you support it)
    • delete user

    Other than that, you should be using a backend-generated ID, like a UUID or a login token, elsewhere in your application. So for the backend, your only concern related to secure handling of a username is the proper handling of SQL queries for those operations and encoding over the wire. Wire encoding is well defined (URL-encoding or base64), and SQL injection isn’t a thing if you use a decent library correctly. Don’t try to interpret it anywhere, just pass it along as a bunch of bytes, just like a password.

    So the only thing left is the frontend, where you should be sanitizing all user input anyway. If the frontend wants to sanitize input in some way, ensure the backend has the same check on creates and updates. But that has nothing to do with backend security, it’s merely a convenience to prevent bugs on the frontend.