@Stan, Hello. Thanks for the Christmas wishes.
Sounds like you are on the right track. These are valid concerns.
There are blacklists and there are whitelists. To ensure security to a great extent (maximum is no web site at all
), you would allow users only to select from a list. The other end of the spectrum is "anything goes". That's where you get things like (not limited to) SQL injection. What you can do in between, is to make a whitelist. You can avoid doing ANYTHING with any special characters you find in the input. That is, no greater than, no less than, no open or close paren, and probably no ampersand, either. That would be a blacklist validation. Blacklists can grow longer as new technologies show up. It is tough to get them right, and tougher to keep them right. Browsers march along from version to version, and you never know what someone will point at your site, and that's just one source for error.
Depending on your application, you might wish to avoid anything that is not a space, digit or letter. Allowing things in that are on a constrained "good" list is white list validation. And, of course apply your length and other constraints mentioned in your post.
You can research more of this on your own. Consider the types of attacks you aim to thwart (SQL injection, other types of injection, buffer overrun, etc.). Terms you can look at also include blacklist and white list.