Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 86
  • Last Modified:

How to validate names with apostrophes in them

I am trying to do simple php validation on a name field. But what I have now blocks everything except letters and spaces. What if the person has a ' in their name which isn't uncommon. e.g.: O'Brian

if (!preg_match("/^[a-zA-Z ]*$/",$_POST['name'])) {
  $error .= "Only letters and white space allowed"; 
}

Open in new window

0
Black Sulfur
Asked:
Black Sulfur
  • 6
  • 5
1 Solution
 
Dan CraciunIT ConsultantCommented:
So allow the characters you want.

/^[a-zA-Z ']*$/

HTH,
Dan
0
 
Black SulfurAuthor Commented:
Oh right. Simple as that. Doh!
0
 
Dan CraciunIT ConsultantCommented:
BTW, after accepting that user input, I would make sure I would sanitize the string before using it for anything.

https://www.owasp.org/index.php/OWASP_PHP_Filters
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Black SulfurAuthor Commented:
It is going into a database and I am using real_escape_string to prevent sql injection. Is that sufficient?
0
 
Dan CraciunIT ConsultantCommented:
For SQL injection, yes.

Make sure you use some kind of validation when using the string for output too.
0
 
Black SulfurAuthor Commented:
I have this for the actual insert:

$name = htmlentities($_POST['name'], ENT_QUOTES);

Open in new window


That okay?
0
 
Dan CraciunIT ConsultantCommented:
Insert into the DB or insert into the final output?

That line makes sure it will display properly in a browser.
0
 
Black SulfurAuthor Commented:
$stmt = $link->prepare("INSERT INTO `users` (email, password, firstName) VALUES (?, ?, ?)");
			$stmt->bind_param("sss", $email, $password, $name);
			$email = htmlentities($_POST['email'], ENT_QUOTES);
			$password = trim(password_hash($password, PASSWORD_BCRYPT, [12]));
			$name = htmlentities($_POST['name'], ENT_QUOTES);
			$stmt->execute();
			$stmt->close();

Open in new window

0
 
Black SulfurAuthor Commented:
Sorry, I am using a prepared statement so I didn't actually need real_escape_string here.
0
 
Dan CraciunIT ConsultantCommented:
Assuming you're using MySQL, I always use mysqli::real_escape_string before insert.

Then use htmlspecialchars or htmlentities after I collected the data from the DB and use it in a query string or directly for output.
1
 
Dan CraciunIT ConsultantCommented:
Yup, a prepared statement takes care of real_escape_string.

Your approach should work too. Storing the string already html encoded so you don't forget to do that when using it.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now