Yes, you're absolutely right. Usually I take better care of this, I guess I missed it 'cause I just copied and pasted Snaip's original code, and modified it from there. (I replied one minute after he posted his question, so I didn't take too much time to look carefully in all details.)
Also, allowing other characters doesn't necessarily mean it's insecure. It also depends on the PHP script.
Anyway, I'll take better care of it next time.
