Safe or unpractical to use UTF-8 page names or other text? - User submitted text!

I am working on a site that have an international aim; I.o.w., logged in users can add text in their own language. I am hoping for international page names and content.

An URL example, like the Japanese Wikipedia: http://ja.wikipedia.org/wiki/メインページ (Both pagename and content text).

I know by using UTF-8, I can do this, but how should I control it?

UTF-8 contains way to many languages/letters to control in a script, I guess, so how safe/unsafe is it to allow people to add UTF-8 text?

I can see that someone could add harmful code this way, but how to prevent it?

All information regarding safety/control when using UTF-8 is appreciated!

EDIT: P开发者_Go百科S! I use PHP and MySQL.

Warning: perhaps a slightly rusty response:

Note: not discussing host name (IDNS) issues.

The only completely safe thing here is to use %-escaped UTF-8. Some browsers will display this as what you want, and some will display the %-escapes. (e.g. http://foo.bar/%ee%cc%cf.html)

If you put 'real UTF-8' in the URLs, many things will work, but there may be unpleasant surprises lurking for some people in some browsers. I'm reading your question as dealing with 100% static content. If you are trying to do this with code behind the site, you have additional issues to work on.

The 'unpleasant surprises' would be (a) people finding the %xx's in the URL unreadable, (b) a browser that melts, (c) some data scraping or aggregating application that melts.

I wish I were more up to date on this, but I'm not, so my recommendation is to deploy a test site and then try to access it with everything you can put your hands on, including mobile phones. Persuade Google to index it, and see what happens there.

For domain names, this is called IDN. For page names, you may want to think of the possibility of IDN spoofs.

It's safe as long as you don't interpret it literally as SQL (SQL injection) or HTML (XSS) or any other language. Just escape any user-controlled input (request URL, request headers, request parameters, request body, etc..etc..) at the point it's going to be used in SQL or HTML.

It's unclear what server side programming language you're using, so I can't go further in detail.