cross-posted from: https://programming.dev/post/10497245

Hi,

For websites I’ve always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.

It’s easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.

On the topic I’ve this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense

But if you have better documentation feel free to share :)

Thanks

  • lurch (he/him)@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    17
    ·
    9 months ago

    even though it’s okay to forbid characters in user names for convenience, if you forbid them in order to not have to escape them, you’re basically building unintentional backdoors. every user input that goes to DB or shells must be escaped. otherwise you may miss something or an update introduces a new meaning for a character and you get hacked.

  • sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    9 months ago

    Nope, don’t place any character restrictions on any field unless it makes sense from an application perspective. Then write tests to ensure the dangerous inputs don’t cause issues.

    The only limitations I do is place an upper bound on number of bytes so I don’t get DOSed with an abnormally long field. There are zero length characters, so check based on number of bytes, not UTF codepoints. I set this high enough to not impede users, but low enough to prevent problems (e.g. 256 bytes for username and password) and a separate length limitation for UX purposes (say, 30 characters for user display names).

    If you’re limiting characters for security purposes, you’re doing security wrong. Only limit it for application purposes.

    • merc@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      9 months ago

      That’s great if every external library and application also expects usernames that can contain every character, but mostly they won’t. If you’re very good about testing, you might catch every instance where they don’t, but that doesn’t mean you can necessarily fix them / get them fixed.

      Plus, there’s just displaying them. If you have sane limits on usernames, you can have sane user management tools that do things that list users vs. storage used, or whatever. If a username might contain backspace characters or who knows what else, all those tools have to be made more complicated too.

      In addition, there’s user support. If you allow usernames to contain zalgo text, you’re going to have far more users needing support because they’re having trouble entering their username. You’re also going to give your support people nightmares trying to help those users out.

      “Ok, I see you entered your username as “s̶u̵g̶a̴r̴_̵i̷n̴_̵y̶o̸u̷r̸-̴t̴e̷a̴” not “s̶u̵g̵a̶r̷_̶i̴n̸_̸y̵o̴u̵r̷_̸t̵e̵a̷”, could you try re-entering that username and see if that fixes the problem?”

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        If your libraries aren’t using proper SQL practices (or any other DB), you should get better libraries. Something like a username should be treated as just bytes by your backend services, so there should never be an issue.

        If your frontend wants to limit usernames, that’s fine. But that’s not a security issue, but a display issue.

        • merc@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          arrow-down
          2
          ·
          9 months ago

          If your libraries aren’t using proper SQL practices

          Why are you imagining this just has to do with SQL? You have a very narrow view of the problem and as a result you’re going to cause yourself massive headaches.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            arrow-up
            3
            ·
            edit-2
            9 months ago

            For a username, your backend should only do simple CRUD:

            • create user
            • read password hash
            • update username (if you support it)
            • delete user

            Other than that, you should be using a backend-generated ID, like a UUID or a login token, elsewhere in your application. So for the backend, your only concern related to secure handling of a username is the proper handling of SQL queries for those operations and encoding over the wire. Wire encoding is well defined (URL-encoding or base64), and SQL injection isn’t a thing if you use a decent library correctly. Don’t try to interpret it anywhere, just pass it along as a bunch of bytes, just like a password.

            So the only thing left is the frontend, where you should be sanitizing all user input anyway. If the frontend wants to sanitize input in some way, ensure the backend has the same check on creates and updates. But that has nothing to do with backend security, it’s merely a convenience to prevent bugs on the frontend.

            • merc@sh.itjust.works
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              9 months ago

              Ok, but that wasn’t the question. The question was “Should you allow username to use Apostrophe (aka quotes )”.

              There’s no mention of what the role of the backend is, just the question of what that policy choice should be. By looking at it only through the lens of the backend, you’re going to cause headaches.

              • sugar_in_your_tea@sh.itjust.works
                link
                fedilink
                arrow-up
                2
                ·
                9 months ago

                We’re in a community focused on cyber security, and the question linked this stack exchange thread, which is explicitly about SQL injection. From that article:

                To block single quotes in all input is madness. This breaks functionality of the application and isn’t even the correct solution against SQL injection.

                The context is SQL injection, which typically is a backend thing. That’s why I talked about BE vs FE. You could instead say “DB layer” vs “presentation layer” if you prefer.

                But my point is that removing single quotes in the context of cyber security completely misses the point. Only remove single quotes (or any other character) if it makes sense for your application use case, not for some vague sense of “security.” If allowing single quotes causes a security vulnerability, your code is wrong even if you disallow single quotes.