Thanks for the suggestions. Indeed, specifying a list of chars which
is clean (e.g. [a-zA-Z0-9_] for a username in English) is optimum, and
I prefer that. But when you are working with fully multilingual
material, this becomes pretty much impossible. As the site in question
is all about language learning and could eventually handle any
language, that is the issue.
Rejecting some of the suspicious chars you suggest is something I will
do - but even that is not foolproof as there are various ways (more
than one, IIRC, but I'm not sure what they all are) of using escape
sequences to get through.
Of the list you suggest, I'd need to keep (, ), ? - all the rest I
could kill quite happily.
Again, thanks for the input. I'm going to forward this to the
DBIx::Class list (as that is probably where it should have gone in the