非法字符判断

if Instr(username,".")<>0 and Instr(username,"@")<>0 and Instr(username,"<")<>0 and Instr(username,">")<>0 and Instr(username,"/")<>0 and Instr(username,"\")<>0 and Instr(username,"[url=file://\\]\\")<>0[/url] and Instr(username,"//")<>0 and Instr(username,"#")<>0 and Instr(username,"'")<>0 then
 response.write "<script language='javascript'>"
 response.write "alert('您输入的用户名中含有非法字符，请检查后重新输入！');"
 response.write "location.href='javascript:history.go(-1)';"      
 response.write "</script>"
 response.end
 end if
我这样写判断是否含有非法字符不对吗？
为什么含了非法字符也一样可以提交啊，好象没什么用？
请指教下啊！