a little newbie php / mysql here ...
I am creating a PHP-based website that uses a MySQL database to store user information, such as their display names, usernames and passwords.
I learned about escaping, prepared statements, etc., and how to prevent SQL injections such as "bobby"), drop table users - ".
I use prepared PDO instructions to get user input from forms to register them in the database. However, I need to know a few things:
Since I use prepared instructions for display names, usernames, passwords, etc., is it okay for me to allow special characters like @, #, $, or even “single” or “double” quotes? What about spaces, international characters, accented characters, or things like ♥? And when I ask if these characters are allowed, I wonder if there are any additional security risks that may arise from allowing quotes or parentheses in usernames or things like html tags for bold or italics?
If you allow most special characters, but not some of them: are there any specific "dangerous" characters (within MySQL) that I absolutely must make illegal? (I feel that quotes may be on this agenda, but I get mixed signals from this.)
If I allowed characters outside the typical “alphanumeric and underscore”, are there any pitfalls that I can experience later (in MySQL, SQL, or PHP), allowing strange characters? Will I need to somehow make the html tags appear as strings and not the actual tags when displaying usernames? Or do I need to escape quotes in people's usernames when I wanted to contact them? Or none of this happens, since I will use prepared statements with PDO?
utf8 utf16 , ,
,
, -?
, ,
. , MS Word
. ,
,
"" "". ♥
, - -.
? ?
, .