How to validate names with apostrophes in them

Black Sulfur
Black Sulfur used Ask the Experts™
on
I am trying to do simple php validation on a name field. But what I have now blocks everything except letters and spaces. What if the person has a ' in their name which isn't uncommon. e.g.: O'Brian

if (!preg_match("/^[a-zA-Z ]*$/",$_POST['name'])) {
  $error .= "Only letters and white space allowed"; 
}

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
So allow the characters you want.

/^[a-zA-Z ']*$/

HTH,
Dan

Author

Commented:
Oh right. Simple as that. Doh!

Commented:
BTW, after accepting that user input, I would make sure I would sanitize the string before using it for anything.

https://www.owasp.org/index.php/OWASP_PHP_Filters
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Author

Commented:
It is going into a database and I am using real_escape_string to prevent sql injection. Is that sufficient?

Commented:
For SQL injection, yes.

Make sure you use some kind of validation when using the string for output too.

Author

Commented:
I have this for the actual insert:

$name = htmlentities($_POST['name'], ENT_QUOTES);

Open in new window


That okay?

Commented:
Insert into the DB or insert into the final output?

That line makes sure it will display properly in a browser.

Author

Commented:
$stmt = $link->prepare("INSERT INTO `users` (email, password, firstName) VALUES (?, ?, ?)");
			$stmt->bind_param("sss", $email, $password, $name);
			$email = htmlentities($_POST['email'], ENT_QUOTES);
			$password = trim(password_hash($password, PASSWORD_BCRYPT, [12]));
			$name = htmlentities($_POST['name'], ENT_QUOTES);
			$stmt->execute();
			$stmt->close();

Open in new window

Author

Commented:
Sorry, I am using a prepared statement so I didn't actually need real_escape_string here.

Commented:
Assuming you're using MySQL, I always use mysqli::real_escape_string before insert.

Then use htmlspecialchars or htmlentities after I collected the data from the DB and use it in a query string or directly for output.

Commented:
Yup, a prepared statement takes care of real_escape_string.

Your approach should work too. Storing the string already html encoded so you don't forget to do that when using it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial