How to validate names with apostrophes in them

I am trying to do simple php validation on a name field. But what I have now blocks everything except letters and spaces. What if the person has a ' in their name which isn't uncommon. e.g.: O'Brian

if (!preg_match("/^[a-zA-Z ]*$/",$_POST['name'])) {
  $error .= "Only letters and white space allowed"; 

Open in new window

Black SulfurAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan CraciunIT ConsultantCommented:
So allow the characters you want.

/^[a-zA-Z ']*$/


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Black SulfurAuthor Commented:
Oh right. Simple as that. Doh!
Dan CraciunIT ConsultantCommented:
BTW, after accepting that user input, I would make sure I would sanitize the string before using it for anything.
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Black SulfurAuthor Commented:
It is going into a database and I am using real_escape_string to prevent sql injection. Is that sufficient?
Dan CraciunIT ConsultantCommented:
For SQL injection, yes.

Make sure you use some kind of validation when using the string for output too.
Black SulfurAuthor Commented:
I have this for the actual insert:

$name = htmlentities($_POST['name'], ENT_QUOTES);

Open in new window

That okay?
Dan CraciunIT ConsultantCommented:
Insert into the DB or insert into the final output?

That line makes sure it will display properly in a browser.
Black SulfurAuthor Commented:
$stmt = $link->prepare("INSERT INTO `users` (email, password, firstName) VALUES (?, ?, ?)");
			$stmt->bind_param("sss", $email, $password, $name);
			$email = htmlentities($_POST['email'], ENT_QUOTES);
			$password = trim(password_hash($password, PASSWORD_BCRYPT, [12]));
			$name = htmlentities($_POST['name'], ENT_QUOTES);

Open in new window

Black SulfurAuthor Commented:
Sorry, I am using a prepared statement so I didn't actually need real_escape_string here.
Dan CraciunIT ConsultantCommented:
Assuming you're using MySQL, I always use mysqli::real_escape_string before insert.

Then use htmlspecialchars or htmlentities after I collected the data from the DB and use it in a query string or directly for output.
Dan CraciunIT ConsultantCommented:
Yup, a prepared statement takes care of real_escape_string.

Your approach should work too. Storing the string already html encoded so you don't forget to do that when using it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.