Any field in a DB can be vulnerable to SQL injection. Filtering out characters is a terrible way to mitigate that attack, you should be using prepared queries where it does not matter what chars you have in your username or password. You should never form a query with string concatenation.

You may want to limit chars in a username to ones allowed in URLs (or even ones that don’t need escaping) if you ever want it to appear in a URL though. Or any other places the user name might be used, but a entry in a DB should not matter.

You don’t need to escape any content for storing in a DB field.

Use the correct database interface and you’re good.

I’d be more concerned about intention and intentional design. Arbitrary characters can be misleading or problematic for users. Using an allow list for accepted username characters is a good approach if you can’t depend on good intentions of users.

Since character filtering is all about edge cases, I would like to note that if someone uses an FF14 character name as a display name, the game allows for apostrophe and hyphen and will have a single space.

It’s not a huge edge case population wise (unless you’re building an application focused on that community or genre), but as others have said it’s much safer to prevent the injection from happening in the first place using an interface rather than try to figure out all the way a user can break out of a constructed string.