Hi,
For websites I’ve always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.
It’s easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.
On the topic I’ve this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense
But if you have better documentation feel free to share :)
Thanks
You don’t need to escape any content for storing in a DB field.
Use the correct database interface and you’re good.
I’d be more concerned about intention and intentional design. Arbitrary characters can be misleading or problematic for users. Using an allow list for accepted username characters is a good approach if you can’t depend on good intentions of users.