digitalFAQ.com Forum - Prevent stupid ASCII usernames in vBulletin

Although this forum has been in current form for going on 3 years now --- as a vBulletin site, kept up to date, and using various in-house custom mods, vB.org mods and plugins --- it wasn't until this recent holiday season (Dec-Jan) that people started to register with stupid usernames that included a lot of ASCII. Example: ~J0EB()B+HE/GREA%~

We're of the opinion that a usename should be just that -- a user's "name" (be it real or pseudonym).

That implies mostly letters, possibly some "name-like" punctuation (periods, ampersands, spaces, hyphens). To help with name availability, standard numerals were allowed (0-9), and then some other standardized characters were allowed (i.e.: underscores and asterisks).

And NOT a jumble of random ASCII because you want to be a "kewl" computer nerd. :mad:

In some cases, I think allowing any and all characters could prove to be a security hazard, as it could potentially allow for PHP or SQL injections -- ugly, ugly stuff. So even if in the name of security, limiting username characters would be a wise move for your vB forum.

vBulletin includes the option to limit what is available to new registrations, but the code either does too much or not enough. You'll find this in the admincp, under vBulletin Options > User Registration Options in the page section Username Regular Expression:

Code:

(Do not start or end the expression with an escape character)

Examples:

^[A-Z]+$ - Characters from A-Z only

^[A-Z ]+$ - Characters from A-Z including space

^[A-Z0-9 ]+$ - Alphanumeric characters including space

^((?!&#\d+;)[\x20-\x7E])+$ - ASCII characters from 32-127

See PHP.net for more information on regular expressions.

A-Z is not enough.
A-Z with space is not enough.
A-Z,0-9 with space is not enough.
Characters 32-127 is way, way too much.

So I asked for help at the usual places:

vB.org (one answer),
vB.com (no answers -- figures),
~~vBSEO.com (where I'm a member because I hold a few vBSEO licenses, and always get great advice from the members and staff alike).~~ vBSEO is now a dead site/project.

The best attempt at advice came from vBSEO, but unfortunately did not work. No matter what was suggested, there was no way to get a functional regular expression. A user at vB.org had a better suggestion -- to insert characters, separated by a space, in the Illegal User Names field. And that's what has worked to prevent the most common "stupid user names".

You can also block dumb ASCII names by adding this to your Illegal User Names:

Code:

@ ~ ` # $ % ^ ( ) + = { [ ] } | \ / ? < > , ; : " '

Because we also actively screen new users (name, email, IP) about once a week, I'll just continue to manually fix/delete accounts that have used ASCII, as well as enter new ASCII that's been used into the Illegal User Names list.

Yes, it's not as foolproof as a Regular Expression, and it's rather quick and dirty -- but it's still somewhat effective for the basics (i.e., anything found on the keyboard or with SHIFT+keyboard). And that's really all that matters to me.

I hope this helps some fellow vBulletin admins. :)

If interested, you can read the other threads at:

http://www.vbulletin.org/forum/showthread.php?t=256844
~~http://www.vbseo.com/f28/limiting-characters-usernames-47524/~~
http://www.vbulletin.com/forum/showt...ar-expressions