So far I have the code below, which I believe tests my username field to see that the input is a character, number or underscore of length 1-20 and the password field is a character, number, or underscore of length 6-20. I have two questions:

1.
What would be the code if I wanted to allow '@' and '.' in the username field (so that someone could enter an email address)?

2.
If I wanted to extend these fields so that they could use more characters...which characters are safe to allow (or I guess an easier question is what characters are NOT safe to allow)? I use the username and password to query a database and validate the user.


if (preg_match("/^\w{1,20}$/", $username, $matches_u) && preg_match("/^\w{6,20}$/", $password, $matches_p))
$test="passed";

"/^(\w|@){1,20}$/"

Separate the characters with |s

You need to watch out for allowing period's though, as they are a special character in a regex. Namely, any character what-so-ever. Obviously not what you want! You would have to escape it with a backslash.
preg_match("/^(\w|@|\.){1,20}$/", $username)
Leanr more about regular expression at regular-expressions.info (http://www.regular-expressions.info/tutorial.html).