Imagine trying to authenticate a user nameed "Foo'or True Or'foo" — no "dangerous" characters, but there goes your login scheme.
If all you're doing is reading and writing to the db, then properly parameterizing queries should take care of the problem.
I would not put any constraints on a user name - it may even contain numbers; think of aristocratic names. No matter what regex you come up with, I can find a name somewhere in the world that will break it.
That being said, you do need to sanitize input, to avoid the Little Bobby Tables problem.
For numeric fields, there is a convenient way to validate a value range, but we want to select to run a custom validation script.