>> Daniel Blumenthal <[EMAIL PROTECTED]> wrote: >> As a security concern, you might not want to allow full UTF-8 usernames. >> There are a number of invisible characters (from the soft hyphen to various >> connector characters) which people can use to spoof other users' names.
On Sun, Mar 05, 2006 at 07:09:52PM -0800, Dave wrote: > Hi Daniel, > > I am not quite understanding. Is it a security hole? > User needs a username and password to login to the web application. It _can_ be a security hole, but it does not necessarily _have_ to be one. It certainly can make things a bit trickier to get right. The problem is that two usernames that are actually different can _look_ the same. For example, say you are looking at two usernames, both of which appear on your screen as "joe-bob". It is possible that one of them uses an actual ascii hyphen character, while the other uses the unicode soft-hyphen. This can lead to all sorts of problems. e.g. let's say "joe-bob" (the soft-hyphen one) send you a message through your web-app (thus supposedly proving he is authorized to ask) asking you to cancel his account. You go and type "joe-bob" (with an ascii hyphen) into your delete-a-user form and end up deleting the wrong user. eric --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]