<div>
Oh right. Simple as that. Doh!
</div>


<div>
BTW, after accepting that user input, I would make sure I would sanitize the string before using it for anything.<br />
<br />
<a href="https://www.owasp.org/index.php/OWASP_PHP_Filters" rel="ugc">https://www.owasp.org/index.php/OWASP_PHP_Filters</a>
</div>


<div>
It is going into a database and I am using real_escape_string to prevent sql injection. Is that sufficient?
</div>


<div>
For SQL injection, yes. <br />
<br />
Make sure you use some kind of validation when using the string for output too.
</div>


<div>
I have this for the actual insert:<br />
<br />

<pre><code class="code-1 nolinks" id="code-20-41773614-1"><span>$name = htmlentities($_POST['name'], ENT_QUOTES);</span>
</code></pre>
<br />
That okay?
</div>


<div>
Insert into the DB or insert into the final output?<br />
<br />
That line makes sure it will display properly in a browser.
</div>


<div>
<pre><code class="code-1 nolinks" id="code-20-41773617-1"><span>$stmt = $link-&gt;prepare(&quot;INSERT INTO `users` (email, password, firstName) VALUES (?, ?, ?)&quot;);</span>
<span>			$stmt-&gt;bind_param(&quot;sss&quot;, $email, $password, $name);</span>
<span>			$email = htmlentities($_POST['email'], ENT_QUOTES);</span>
<span>			$password = trim(password_hash($password, PASSWORD_BCRYPT, [12]));</span>
<span>			$name = htmlentities($_POST['name'], ENT_QUOTES);</span>
<span>			$stmt-&gt;execute();</span>
<span>			$stmt-&gt;close();</span>
</code></pre>
</div>


<div>
Sorry, I am using a prepared statement so I didn't actually need real_escape_string here.
</div>


<div>
Assuming you're using MySQL, I always use mysqli::real_escape_string<wbr /> before insert. <br />
<br />
Then use htmlspecialchars or htmlentities after I collected the data from the DB and use it in a query string or directly for output.
</div>


<div>
Yup, a prepared statement takes care of real_escape_string.<br />
<br />
Your approach should work too. Storing the string already html encoded so you don't forget to do that when using it.
</div>


<div>
<div class="content wysiwyg-content">
I am trying to do simple php validation on a name field. But what I have now blocks everything except letters and spaces. What if the person has a ' in their name which isn't uncommon. e.g.: O'Brian<br />
<br />

<pre><code class="code-1 nolinks" id="code-10-28966131-1"><span>if (!preg_match(&quot;/^[a-zA-Z ]*$/&quot;,$_POST['name'])) {</span>
<span>  $error .= &quot;Only letters and white space allowed&quot;; </span>
<span>}</span>
</code></pre>
</div>
</div>


I am trying to do simple php validation on a name field. But what I have now blocks everything except letters and spaces. What if the person has a ' in their name which isn't uncommon. e.g.: O'Brian

(CODE)

How to validate names with apostrophes in them

PHP is a widely-used server-side scripting language especially suited for web development, powering tens of millions of sites from Facebook to personal WordPress blogs. PHP is often paired with the MySQL relational database, but includes support for most other mainstream databases. By utilizing different Server APIs, PHP can work on many different web servers as a server-side scripting language.