cross-posted from: https://programming.dev/post/10497245
Hi,
For websites I’ve always restricted
usernameto use Apostrophe'and"and some times even space. If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.It’s easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.
On the topic I’ve this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense
But if you have better documentation feel free to share :)
Thanks
Why are you imagining this just has to do with SQL? You have a very narrow view of the problem and as a result you’re going to cause yourself massive headaches.