• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 107
  • Last Modified:

How to validate names with apostrophes in them

I am trying to do simple php validation on a name field. But what I have now blocks everything except letters and spaces. What if the person has a ' in their name which isn't uncommon. e.g.: O'Brian

if (!preg_match("/^[a-zA-Z ]*$/",$_POST['name'])) {
  $error .= "Only letters and white space allowed"; 
}

Open in new window

0
Black Sulfur
Asked:
Black Sulfur
  • 6
  • 5
1 Solution
 
Dan CraciunIT ConsultantCommented:
So allow the characters you want.

/^[a-zA-Z ']*$/

HTH,
Dan
0
 
Black SulfurAuthor Commented:
Oh right. Simple as that. Doh!
0
 
Dan CraciunIT ConsultantCommented:
BTW, after accepting that user input, I would make sure I would sanitize the string before using it for anything.

https://www.owasp.org/index.php/OWASP_PHP_Filters
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
Black SulfurAuthor Commented:
It is going into a database and I am using real_escape_string to prevent sql injection. Is that sufficient?
0
 
Dan CraciunIT ConsultantCommented:
For SQL injection, yes.

Make sure you use some kind of validation when using the string for output too.
0
 
Black SulfurAuthor Commented:
I have this for the actual insert:

$name = htmlentities($_POST['name'], ENT_QUOTES);

Open in new window


That okay?
0
 
Dan CraciunIT ConsultantCommented:
Insert into the DB or insert into the final output?

That line makes sure it will display properly in a browser.
0
 
Black SulfurAuthor Commented:
$stmt = $link->prepare("INSERT INTO `users` (email, password, firstName) VALUES (?, ?, ?)");
			$stmt->bind_param("sss", $email, $password, $name);
			$email = htmlentities($_POST['email'], ENT_QUOTES);
			$password = trim(password_hash($password, PASSWORD_BCRYPT, [12]));
			$name = htmlentities($_POST['name'], ENT_QUOTES);
			$stmt->execute();
			$stmt->close();

Open in new window

0
 
Black SulfurAuthor Commented:
Sorry, I am using a prepared statement so I didn't actually need real_escape_string here.
0
 
Dan CraciunIT ConsultantCommented:
Assuming you're using MySQL, I always use mysqli::real_escape_string before insert.

Then use htmlspecialchars or htmlentities after I collected the data from the DB and use it in a query string or directly for output.
1
 
Dan CraciunIT ConsultantCommented:
Yup, a prepared statement takes care of real_escape_string.

Your approach should work too. Storing the string already html encoded so you don't forget to do that when using it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now