If by exploits you mean SQL injection and other stuff like that, limiting the characters someone can use is absolutely the wrong way to go about it.
There's one 100% guaranteed way of protecting your database from SQL injection, and that is to use prepared statements, where you pass user input as variables of the query, instead of being part of the query.
Since these variables are never considered or parsed as part of the SQL queries themselves, it's completely impossible to be able to perform SQL injection attacks towards a database this way.
From here, this way you get protected from SQL injection, but there are plenty of other attacks that can be performed against any database, which will mostly depend how you do the queries themselve, and how you handle database errors, especially in languages like PHP.
For instance, depending on how you do a query I could get more info than what I should, without using SQL injection, but by exploiting how certain expressions are evaluated in the database even from variables (such as the
And depending on how you are handling the database errors, and how your PHP install is configured overall for production, I may be able to get your database details, like its full DSN, password, etc, and connect directly to it if it's exposed to the Internet.
As far as player names are concerned, if you do the necessary steps to protect against SQL injection, use proper queries and handle/configure your errors well, the only last step you should do is establish some basic rules for the player name, not to protect the database from mishaps, but to make sense to you logically, such as: having a min and max number of characters allowed, trimming the name from whitespace, and so on.
If you do these steps, you don't have to concern yourself about any issues on the database itself based simply of name characters.
Restrict only the characters based on what makes sense to you overall.
Just one last note: use UTF8 encoding for your database, it makes no sense using anything else, since UTF8 is good and universal enough to represent every unicode character anyone wants.