Web Development

3425 readers

6 users here now

Welcome to the web development community! This is a place to post, discuss, get help about, etc. anything related to web development

What is web development?

Web development is the process of creating websites or web applications

Rules/Guidelines

Follow the programming.dev site rules
Keep content related to web development
If what you're posting relates to one of the related communities, crosspost it into there to help them grow
If youre posting an article older than two years put the year it was made in brackets after the title

Related Communities

Wormhole

[email protected]

Some webdev blogs

Not sure what to post in here? Want some web development related things to read?

Heres a couple blogs that have web development related content

https://frontendfoc.us/ - [RSS]
https://wesbos.com/blog
https://davidwalsh.name/ - [RSS]
https://www.nngroup.com/articles/
https://sia.codes/posts/ - [RSS]
https://www.smashingmagazine.com/ - [RSS]
https://www.bennadel.com/ - [RSS]
https://web.dev/ - [RSS]

Credits

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago

MODERATORS

snowe

erlingur

Ategon

Should you allow username to use Apostrophe (aka quotes ) (self.webdev)

submitted 6 months ago by Rick_C137 to c/webdev

5 comments fedilink hide all child comments

Hi,

For websites I've always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.

It's easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.

On the topic I've this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense

But if you have better documentation feel free to share :)

Thanks

all 6 comments

sorted by: hot top controversial new old

[–] nous 25 points 6 months ago* (last edited 6 months ago) (2 children)

Any field in a DB can be vulnerable to SQL injection. Filtering out characters is a terrible way to mitigate that attack, you should be using prepared queries where it does not matter what chars you have in your username or password. You should never form a query with string concatenation.

You may want to limit chars in a username to ones allowed in URLs (or even ones that don't need escaping) if you ever want it to appear in a URL though. Or any other places the user name might be used, but a entry in a DB should not matter.

[–] [email protected] 3 points 6 months ago (1 children)

Another good reason to filter characters is based on what people expect. You don't want people to be making accounts like OfficialSiteSupport'

[–] damium 2 points 6 months ago

There are a lot of edge case characters around visually indistinguishable names. If that is a concern usernames should use a restricted known character sets instead of trying to block specific characters. You likely should also treat lookalike characters as equivalents when checking for username overlap.

[–] Kissaki 2 points 6 months ago* (last edited 6 months ago)

You don't need to escape any content for storing in a DB field.

Use the correct database interface and you're good.

I'd be more concerned about intention and intentional design. Arbitrary characters can be misleading or problematic for users. Using an allow list for accepted username characters is a good approach if you can't depend on good intentions of users.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago)

Since character filtering is all about edge cases, I would like to note that if someone uses an FF14 character name as a display name, the game allows for apostrophe and hyphen and will have a single space.

It's not a huge edge case population wise (unless you're building an application focused on that community or genre), but as others have said it's much safer to prevent the injection from happening in the first place using an interface rather than try to figure out all the way a user can break out of a constructed string.