We have a form that has fields for first and last name. I was asked to allow underscores. I don't know of any sql injection that uses underscores, but I also don't know of anyone with an underscore in their name. Is there a good reason to allow or not allow underscores in names?

EDIT: I'm using parameters and server side validation. This is for client si开发者_运维问答de validation via the jQuery validation plugin.

EDIT 2: I didn't mean for this to become a discussion on whether or not I should do any validation...I just wanted to know know if there was any compelling reason to accept underscores, like I should accept Irish people or hyphens. Based on that, I'm accepting Oren's answer.

You should be as liberal as possible in what you allow as a name. There is no good reason to disallow an underscore, so why do it? There are many horror stories of people who try to utilize software that disallows their actual name. Have a look at Falsehoods Programmers Believe About Names for assumptions you should not make.

DO NOT PREVENT SQL INJECTION USING WHITELISTS!

Have you come across an O'Neill yet?

Instead, use parameters.

_{I will admit, though, that whitelists will work better than blacklists}

Re: EDIT:
You should not do such validation at all.
If your server-side code can handle it, there's nothing wrong with the name --'!@--_.
If your server-side code cannot handle it, it should.

You're doing your validation wrong. When preventing sql injection, just use placeholders or your database library's escape function to escape the data. What characters you use in the name doesn't matter then.

You'll need to allow apostrophes and hyphens (O'Reilly, Double-Barrel). Never heard of an underscore in a name though.

Ideally, you should be able to allow any characters and not have a problem with SQL injection because you are using parameterized queries etc.

Do you disallow '? How do you think Mr O'Reilly likes that?

If you prevent underscores with the assumption that we are not aware of names with underscores, would you do the same for the other dozens (hundreds) of other "special characters"?

Unless there is some reason to block underscores, I would leave it up to the user to be able to enter their name as they want.