Why is it necessary to validate usernames? [closed]
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question 开发者_StackOverflow中文版I've been reading the Ruby on Rails 3 Tutorial book by Michael Hartl and he doesn't validate the username in the sample app of the book. Yet so many websites are asking users to register with only alphanumerics and underscores(not always allowed even).
I've searched for a while both on google and stack_overflow but only found huge amount of people asking how to validate username in the above manner.
Gee, why do we need to do it in the first place then?
Once reason I can think of is to ensure they are URL friendly. Any website that has a user resource, and uses the username in the URL instead of the ID, will require a URL-safe username.
Any website that requires a username but doesn't use it as a resource probably shouldn't require a username to begin with (use email address for login instead).
EDIT: To answer your comment: "The space character is unsafe because significant spaces may disappear and insignificant spaces may be introduced when URLs are transcribed or typeset or subjected to the treatment of word-processing programs."
As per RFC 1738. This document also describes why other characters are unsafe.
I agree. I think that only spaces should be disallowed in most cases. I think the main reasons are to avoid possible problems with encoding/decoding that could open up security holes. All of those problems can and should be solved in better ways, though. I've seen the same with passwords, even, which is even more ridiculous (Regions will not allow special characters).
If usernames are supposed to be unique, what if you have two users named these?
John Doe
John Doe
If you're putting the names straight into the HTML, they'll look identical. If you fix that, there's probably other things to be done with Unicode. Requiring a username to be alphanumeric (and maybe some other characters) solves many of these problems.
In addition to other reasons stated, allowing arbitrary Unicode characters enables one user to create a name that appears very similar to another user's name by using Unicode characters that closely resemble Latin letters, e.g.
K℮ℎ
Keh
(above renders correctly at least in Chrome on Windows 7).
On the other hand, disallowing Unicode characters creates an unnecessary bias against non-English visitors who may well have accent marks in their given name (e.g. Jürgen), or whose native language may use an alphabet not based on the Latin character set (e.g. 孔夫子).
精彩评论