Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should I allow underscores in first and last name?

We have a form that has fields for first and last name. I was asked to allow underscores. I don't know of any sql injection that uses underscores, but I also don't know of anyone with an underscore in their name. Is there a good reason to allow or not allow underscores in names?

EDIT: I'm using parameters and server side validation. This is for client side validation via the jQuery validation plugin.

EDIT 2: I didn't mean for this to become a discussion on whether or not I should do any validation...I just wanted to know know if there was any compelling reason to accept underscores, like I should accept Irish people or hyphens. Based on that, I'm accepting Oren's answer.

like image 217
Chad Avatar asked Jul 23 '10 14:07

Chad


3 Answers

You should be as liberal as possible in what you allow as a name. There is no good reason to disallow an underscore, so why do it? There are many horror stories of people who try to utilize software that disallows their actual name. Have a look at Falsehoods Programmers Believe About Names for assumptions you should not make.

like image 74
Oren Hizkiya Avatar answered Nov 08 '22 05:11

Oren Hizkiya


DO NOT PREVENT SQL INJECTION USING WHITELISTS!

Have you come across an O'Neill yet?

Instead, use parameters.

I will admit, though, that whitelists will work better than blacklists


Re: EDIT:
You should not do such validation at all.
If your server-side code can handle it, there's nothing wrong with the name --'!@--_.
If your server-side code cannot handle it, it should.

like image 12
SLaks Avatar answered Nov 08 '22 04:11

SLaks


You're doing your validation wrong. When preventing sql injection, just use placeholders or your database library's escape function to escape the data. What characters you use in the name doesn't matter then.

like image 3
DGM Avatar answered Nov 08 '22 05:11

DGM