I heard from Alex Goldman of Reply All (a super duper very great podcast with stories loosely originating from the internet):
We’re doing a story about people that have names that websites and computers don’t seem to like – for example, we spoke to a guy named William Test, and a woman named Katie Test, both of whom can’t seem to keep a hotel or airplane booking because the name “test” is flagged by internal systems.
We also spoke to a guy named Christopher Null who had the same problem, and woman named Joan Fread, who can’t use paypal because her last name is the same as a PHP command.
I’m curious if there’s anyone in the dev community that is thinking about this, and how to deal with it. Is it even considered a problem? Is the population that this affects so small that people don’t even think about it?
I wrote back, but that was a few months ago and I haven’t heard anything. I figured I’d post my response here since it is really an interesting topic and maybe through the comments here we can stir up some interesting bits he can use.
This is my response:
At the end of the day, it’s sloppy programming. No software should accept a name input and at any point treat that as code. If your last name is like the famous XKCD comic, in a well-designed system, that should be fine.
There are some valid reasons to “flag” names. At my company (CodePen), we flag names for bad language. You can’t sign up as “Sh*tf*cker Dirtyballs”. We do that on purpose, to promote a healthier community.
There is a difference between names and usernames. It’s slightly more legit to have stricter rules around usernames. We have a file called “username_blacklist.rb” in our codebase that prevents the usage of lots of words. The reason for this isn’t because we’re worried about overriding Ruby functions or anything, but 1) We use usernames in URL’s, meaning we need to reserve some of those for our own use and 2) again, bad language filter. 3) Spam. If a username has “watchsocceronline” (for example) in it, we flag it for a spam review.
The “real world” of programming is complicated. It’s not terribly surprising that companies write “band-aid code” that fixes a problem quickly instead of well. Writing code that blocks/flags a last name of “delete” is easier to write than auditing a whole codebase for situations in which that string causes problems.
What experience to y’all have with this?