What are the typical characters allowed in text fields in a new user sign-up? Are there www standards? Especially interested in Username and Password character types allowed.
新用户注册中文本字段中允许的典型字符是什么?有www标准吗?特别感兴趣的是允许的用户名和密码字符类型。
10 个解决方案
#1
I prefer to be able to use alphabetic, numeric, and special characters to create my passwords. I really hate it when sites deny me the use of special characters, particularly !@$*.
我更喜欢能够使用字母,数字和特殊字符来创建我的密码。当网站拒绝让我使用特殊字符时,我真的很讨厌它!@ $ *。
#2
Don't restrict password characters. The more characters available, the more secure passwords can be. There's no good reason to forbid spaces, for example, in a password.
不要限制密码字符。可用的字符越多,密码就越安全。例如,在密码中没有充分理由禁止空格。
For usernames, it depends on where they will be displayed. If you plan to give users there own profile URL, you would want to limit characters much more than if not.
对于用户名,它取决于它们的显示位置。如果您计划为用户提供自己的个人资料网址,则您希望限制字符的次数远远超过其他人。
Just don't forget to escape user inputs when you output them again.
只是不要忘记在再次输出时转义用户输入。
#3
What reason would you have to ever deny any characters? You should just allow everything, with the possible exception of the null character. You will have to encode usernames when you print them on your site to avoid cross-site scripting problems, but you probably should do that anyways even if you're filtering the "dangerous" characters just to be safe. Allowing all characters, especially for passwords, greatly increases usability (and security, in the case of passwords). Also, keep in mind that some users may want to input UTF8 characters if they have accents in their names (or if they're using a non-latin alphabet like Chinese or Russian).
你有什么理由否认任何角色?你应该只允许一切,可能的例外是空字符。在您的网站上打印时,您必须对用户名进行编码以避免跨站点脚本问题,但即使您为了安全而过滤“危险”字符,您也可能应该这样做。允许所有字符,尤其是密码,大大提高了可用性(以及密码时的安全性)。另外,请记住,如果某些用户的名字中有重音符号(或者如果他们使用的是非拉丁字母,如中文或俄文),则可能需要输入UTF8字符。
#4
If you do restrict characters, it shouldn't be for security (e.g. preventing quotes so people can't insert SQL). Your code should be able to handle any characters in an input string, by properly escaping them whenever they're sent somewhere. But it's fine to restrict them for business reasons, or for certain other practical reasons (e.g. Zach's example of a URL).
如果您确实限制了字符,那么它不应该用于安全性(例如,防止引号,以便人们无法插入SQL)。您的代码应该能够处理输入字符串中的任何字符,只要它们被发送到某处,就可以正确地转义它们。但出于商业原因或出于某些其他实际原因(例如Zach的URL示例)限制它们是可以的。
#5
PLEASE allow apostrophes for all of the O'Briens, O'Malleys, O'Reillys and other apostrophed names!
请允许所有O'Briens,O'Malleys,O'Reillys和其他撇号名字的撇号!
#6
Will your application be used by any non-english users?
您的申请是否会被任何非英语用户使用?
At the very least allow European characters like á à é è ì.
至少允许欧洲角色,如áàéèì。
Of course if it has to be truly internationalized then you have to allow any characters in languages like Chinese and Arabic.
当然,如果它必须真正国际化,那么你必须允许使用中文和阿拉伯语等语言中的任何字符。
Looks to me like you can't really make a list of allowed characters if you don't want to make anyone mad.
在我看来,如果你不想让任何人发疯,你就不能真正列出允许的角色。
If you want to do this for security purposes, I would recommend escaping the necessary characters before trying to use the string instead of filtering up front.
如果你想出于安全目的这样做,我建议在尝试使用字符串而不是前面的过滤之前转义必要的字符。
#7
- Password fields should allow any characters (you're just going to hash it anyway, right?)
- Text fields should not be limited to specific characters (e.g. [A-Za-z]). Else you will be disallowing people who need (or want) to use accent characters. From a database/processing side of things, you will be escaping or using binding to save your data.
- If you have a specific field that you know can only accept a specific character set (business reasons, etc. as mentioned by JW). For example, forms that are meant for a US-only audience may restrict to numbers and a dash for postal codes.
密码字段应该允许任何字符(你只是要哈希它,对吧?)
文本字段不应限于特定字符(例如[A-Za-z])。否则,您将不再需要(或想要)使用重音字符的人。从数据库/处理方面来看,您将转义或使用绑定来保存数据。
如果您有一个特定字段,您知道只能接受特定字符集(业务原因等,如JW所述)。例如,仅供美国观众使用的表单可能会限制为邮政编码的数字和短划线。
#8
too add to what others have said: password: anything and everything, but do hash them (of course)
也加入别人所说的:密码:什么都有,但是哈希吧(当然)
username: everything, except, possibly a space... or multiple spaces (ie., single space is ok, more than one space = 1 space)
用户名:一切,除了,可能是空格......或多个空格(即单个空格都可以,多个空格= 1个空格)
#9
Passwords should, as an absolute minimum, allow every character available from the keyboard in your target locale(s).
密码应作为绝对最小值,允许目标语言环境中键盘提供的每个字符。
#10
Don't restrict anything and if you want to give users their own URLs either use a numerical ID or ask the user to make make the name for the URL. Never display the user's user name, display their display name (which should be limited to anything except dangerous Unicode characters) and asked for after sign up.
不要限制任何内容,如果您想为用户提供他们自己的URL,请使用数字ID或要求用户为URL创建名称。永远不要显示用户的用户名,显示他们的显示名称(除了危险的Unicode字符以外的任何内容),并在注册后要求显示。
#1
I prefer to be able to use alphabetic, numeric, and special characters to create my passwords. I really hate it when sites deny me the use of special characters, particularly !@$*.
我更喜欢能够使用字母,数字和特殊字符来创建我的密码。当网站拒绝让我使用特殊字符时,我真的很讨厌它!@ $ *。
#2
Don't restrict password characters. The more characters available, the more secure passwords can be. There's no good reason to forbid spaces, for example, in a password.
不要限制密码字符。可用的字符越多,密码就越安全。例如,在密码中没有充分理由禁止空格。
For usernames, it depends on where they will be displayed. If you plan to give users there own profile URL, you would want to limit characters much more than if not.
对于用户名,它取决于它们的显示位置。如果您计划为用户提供自己的个人资料网址,则您希望限制字符的次数远远超过其他人。
Just don't forget to escape user inputs when you output them again.
只是不要忘记在再次输出时转义用户输入。
#3
What reason would you have to ever deny any characters? You should just allow everything, with the possible exception of the null character. You will have to encode usernames when you print them on your site to avoid cross-site scripting problems, but you probably should do that anyways even if you're filtering the "dangerous" characters just to be safe. Allowing all characters, especially for passwords, greatly increases usability (and security, in the case of passwords). Also, keep in mind that some users may want to input UTF8 characters if they have accents in their names (or if they're using a non-latin alphabet like Chinese or Russian).
你有什么理由否认任何角色?你应该只允许一切,可能的例外是空字符。在您的网站上打印时,您必须对用户名进行编码以避免跨站点脚本问题,但即使您为了安全而过滤“危险”字符,您也可能应该这样做。允许所有字符,尤其是密码,大大提高了可用性(以及密码时的安全性)。另外,请记住,如果某些用户的名字中有重音符号(或者如果他们使用的是非拉丁字母,如中文或俄文),则可能需要输入UTF8字符。
#4
If you do restrict characters, it shouldn't be for security (e.g. preventing quotes so people can't insert SQL). Your code should be able to handle any characters in an input string, by properly escaping them whenever they're sent somewhere. But it's fine to restrict them for business reasons, or for certain other practical reasons (e.g. Zach's example of a URL).
如果您确实限制了字符,那么它不应该用于安全性(例如,防止引号,以便人们无法插入SQL)。您的代码应该能够处理输入字符串中的任何字符,只要它们被发送到某处,就可以正确地转义它们。但出于商业原因或出于某些其他实际原因(例如Zach的URL示例)限制它们是可以的。
#5
PLEASE allow apostrophes for all of the O'Briens, O'Malleys, O'Reillys and other apostrophed names!
请允许所有O'Briens,O'Malleys,O'Reillys和其他撇号名字的撇号!
#6
Will your application be used by any non-english users?
您的申请是否会被任何非英语用户使用?
At the very least allow European characters like á à é è ì.
至少允许欧洲角色,如áàéèì。
Of course if it has to be truly internationalized then you have to allow any characters in languages like Chinese and Arabic.
当然,如果它必须真正国际化,那么你必须允许使用中文和阿拉伯语等语言中的任何字符。
Looks to me like you can't really make a list of allowed characters if you don't want to make anyone mad.
在我看来,如果你不想让任何人发疯,你就不能真正列出允许的角色。
If you want to do this for security purposes, I would recommend escaping the necessary characters before trying to use the string instead of filtering up front.
如果你想出于安全目的这样做,我建议在尝试使用字符串而不是前面的过滤之前转义必要的字符。
#7
- Password fields should allow any characters (you're just going to hash it anyway, right?)
- Text fields should not be limited to specific characters (e.g. [A-Za-z]). Else you will be disallowing people who need (or want) to use accent characters. From a database/processing side of things, you will be escaping or using binding to save your data.
- If you have a specific field that you know can only accept a specific character set (business reasons, etc. as mentioned by JW). For example, forms that are meant for a US-only audience may restrict to numbers and a dash for postal codes.
密码字段应该允许任何字符(你只是要哈希它,对吧?)
文本字段不应限于特定字符(例如[A-Za-z])。否则,您将不再需要(或想要)使用重音字符的人。从数据库/处理方面来看,您将转义或使用绑定来保存数据。
如果您有一个特定字段,您知道只能接受特定字符集(业务原因等,如JW所述)。例如,仅供美国观众使用的表单可能会限制为邮政编码的数字和短划线。
#8
too add to what others have said: password: anything and everything, but do hash them (of course)
也加入别人所说的:密码:什么都有,但是哈希吧(当然)
username: everything, except, possibly a space... or multiple spaces (ie., single space is ok, more than one space = 1 space)
用户名:一切,除了,可能是空格......或多个空格(即单个空格都可以,多个空格= 1个空格)
#9
Passwords should, as an absolute minimum, allow every character available from the keyboard in your target locale(s).
密码应作为绝对最小值,允许目标语言环境中键盘提供的每个字符。
#10
Don't restrict anything and if you want to give users their own URLs either use a numerical ID or ask the user to make make the name for the URL. Never display the user's user name, display their display name (which should be limited to anything except dangerous Unicode characters) and asked for after sign up.
不要限制任何内容,如果您想为用户提供他们自己的URL,请使用数字ID或要求用户为URL创建名称。永远不要显示用户的用户名,显示他们的显示名称(除了危险的Unicode字符以外的任何内容),并在注册后要求显示。