Re^3: Any security holes?

why "name" more than word characters plus maybe . - and ' ?

I hope the space between '.' and '-' is significant: it is thankfully rarer these days, but I've lost count of the number of times I was rejected by a web form because "van der Sanden" did not match their concept of a valid surname. In the majority of cases, those websites lost the chance at my custom.

Finding the right balance between strict and permissive can be hard. My preference is to look for unmistakable signals of intentional manipulation - and then ideally blackhole the IP address without further ado - but to accept anything below that high threshold, and concentrate on doing the right thing with it thereafter.

Comment on Re^3: Any security holes?

Replies are listed 'Best First'.
Re^4: Any security holes? by LanX (Saint) on Jun 26, 2022 at 18:10 UTC
Granted, I knew "name" was a bad example. Space goes without saying, and I might be ignoring more legal letters. A good mechanism should always include a backfeed channel for critic and adjustment. Though I remember having a fight with one of my colleagues who insisted that one of his clients can continue to use emojis in his user name and me having to hardcode an exception into the app ... I never "adjusted" this. Cheers Rolf _{(addicted to the Perl Programming Language :) Wikisyntax for the Monastery}	[reply]
Re^5: Any security holes? by Your Mother (Archbishop) on Jun 26, 2022 at 19:46 UTC
I know you know and I always sort of knew too but it wasn’t until I saw this that I really knew. :P Falsehoods Programmers Believe About Names. I agree, of course, that whitelisting is drastically better security than blacklisting in the general case. Update: hippo beat me to it.	[reply]