Like others have said a string entered in a text field can’t possible do any serious harm to you Unity application from Unity’s point of view. The worst thing that might happen is that using of some strange unicode characters results in some visual glitches but nothing that could break the game.
However it depends on how you use the string otherwise. For example if you store it or save / transmit it via JSON / XML / … you should make sure that no special characters are used in those strings. Most of these frameworks however do the escaping out-of-the-box. So you can literally use any string, but you should make sure that however you use the string you don’t expect some kind of “special format”.
For example concat several playernames into one string seperated with “;” will fail if a name contains a “;”.
I wouldn’t be too restrictive what the user can input. Fattie’s suggestion to limit to a-zA-Z is quite unparctical. Any user that doesn’t live in an english speaking world will hate your game. There is more than ASCII.
It’s all a matter of what you want to allow in your game. For example if you have some sort of faction / clan management and if a user is in a clan the clan tag is displayed in square brackets before the name, you probably don’t want the user to be able to include square brackets in their name.
I personally would filter out: newline, carriage return, tab, and other special characters (everything below unicode
I just have written a small helper class which allows you to create your own “filter rules”. It also has a “CheckForProblems” method which returns a list of things which aren’t right in the passed string. It lists every exclude item only once. So if there are 3 newline characters in the string it will only report the first one. The class is designed to avoid garbage creation due to the filtering. It uses a StringBuilder to actually perform the filtering. The “Problem” struct should also avoid garbage if you cache the List.
Since you mentioned SQL injection i think i should add this: Things like SQL injection is only a problem when you don’t escape your string properly based on your usecase.
Imagine you get a userName from a webform and want to create an SQL query with it. I don’t use php so my example is in C# but the idea is the same:
string userName; // what the user typed in
string sqlQuery = "select * from users where username='"+userName+"'";
Some people think since they enclose the string in single quotation marks it doesn’t matter what the user enters. That’s actually partially true. As long as the text is quoted it doesn’t matter. However the user could type a single quote “himself”. That would terminate the quote and allows him to add something to the query.
userName = "';drop database;select '";
such a string would kill the whole database if multi queries are allowed by your system. The server interprets them as seperate queries:
select * from users where username=''
So in this case it would be enough to either remove single quotes from the string or escape it.
Most systems that rely on a certain syntax (SQL, URL, RegEx, …) have dedicated escape and unescape functions, They ensure that all special character for that system are escaped properly and the string is safe to be treated as “text”.
Some examples: real_escape_string, EscapeUriString RegEx.Escape