If spammers can abuse something, they gonna abuse it
If it doesn’t exclude a URL it likely doesn’t block SQL either.
Time for the ol XKCD Little Bobby Tables attack
That’s not how this works.
You have a database driver that takes care of communicating with the database.
In the bad old days (pre-early 2000s) the only way they knew how to do that was plain old SQL strings so you passed a string that contained both the data and the instructions on what to do with it.
Now you SHOULD be writing prepared statements that contain the instructions then passing the data separately to fill in the placeholders in the prepared statement via the driver (NOT via modifying the string).
// DO NOT DO THIS execute("INSERT INTO foo VALUES ('a', 'b', 'c')")
vs
// DO THIS executePrepared("INSERT INTO foo VALUES (?,?,?)", "a", "b", "c")
And yet injection is still #3 in the OWASP Top 10
I mean, allowing arbitrary characters in the name is one thing. I think I would do that as well, as there are many weird names out there.
But then actually parsing it out (or not escaping it properly), that’s the real sin.
Might be the mail client being helpful and going “hey! Thats a URL. Let me make it a link”
URLs as a person name
What do you mean?
Somebody created an account at MyEpson with OP’s email address and the name “GET BITCOIN NOW link”, which sends a confirmation email to OP with that name. Basically it’s spam using Epson as a trojan horse to get past filters.