$had_bad_characters = $user =~ s/\W//g;

# Safer still (since what's defined as a 'word character' could change based on locale/Unicode (?))
$user =~ s/[^a-zA-Z_-]//g;   # Explicitely define what we want to ACCEPT as valid