The validation function is called IsName() in RemoteAdmin.c. To save you looking it up, here are the rules:
+-= are disallowed when used as the first character of a group or user name but are otherwise ok.
|"*:\/?.<> and spaces are disallowed in user/group names anywhere.
A web based PHP script that logs into the server and issues "site adduser/gadduser" would be easy enough to do. Or you could use the shared memory interface. As an interesting aside you may want to check out the OnUnknownLogin feature. From the ChangeLog:
Code:
90) New ioFTPD.ini event (OnUnknownLogin under [Events]). If the USER command
entered by the user during login refers to an unknown user name then this
event will be called. If it returns true, which normally would indicate
an error, the user lookup is performed again. The addition of this event
should allow the dynamic creation of new user accounts which may be useful
if there are thousands of them stored in an Active Directory or other 3rd
party database and waiting to import them until they have been referenced
makes sense. Also useful in conjunction with a shared user module that
doesn't expect every account to use the server. Default is undefined.