SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Validating a First Name

    What are your thoughts on validating a First Name?

    I didn't want to allow any value for fear a bad guy could use this as a security exploit. (Although since I am using Prepared Statements, that might be hard to do.)

    Here is my current code...
    PHP Code:
        // Validate First Name.
        
    if (empty($trimmed['firstName'])){
            
    $errors['firstName'] = 'Please enter your First Name.';
        }else{
            if (
    preg_match('#^[A-Z \'.-]{2,20}$#i'$trimmed['firstName'])){
                
    $firstName $trimmed['firstName'];
            }else{
                
    $errors['firstName'] = 'First Name must be 2-20 characters (A-Z \' . -)';
            }
        } 
    Is this too restrictive?

    In the U.S. at least, this should pretty much cover everything...


    Debbie

  2. #2
    SitePoint Enthusiast
    Join Date
    Aug 2011
    Posts
    67
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Some 15 years ago I think some people in England tried to call their kind something like 1526jhl4hklh246l3j6 :P there may have been special characters in that aswell but I can't remember. I don't think they succeeded though :P So, your regex should pretty much cover anything besides insane British people

  3. #3
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Rčmon? Sánchez?
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  4. #4
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by AnthonySterling View Post
    Rčmon? Sánchez?
    So how would you handle things then?

    If I open things up then some j4ck4ss will start typing "d3bb1e" and "r*b*rt" and "k8tee" and "!@#$%^&*()_+"

    Do people with weird names like "Rčmon" know better to just enter "Remon"??


    There must be a happy-medium?!


    Debbie

  5. #5
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    It would depend on what I was using their first name for, I see no harm in letting them type anything they like as it currently stands. Why do feel you need to restrict their first name, do you have cause?

    You're exactly right though, there is a happy medium, you just need to figure out what your happy medium is; then implement it.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  6. #6
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    You could use an optimistic filter, i.e. do checks against characters rather than for them.

    I.e. if you detect any punctuation, double-spaces, numbers then fail - otherwise pass. Remember that hyphens (e.g. "ann-marie") are valid. But no matter how much regex you throw in there, there's no stopping them using semantically valid, yet culturally invalid, names - e.g. 'DonaldDuck'. So in that respect I agree with Anthony, that sometimes restrictions are just inspiration for greater creativity.

    As for security exploits, you'll be fine with any string as far as I'm aware, as long as you aren't really, really stupid and put it in exec() or something. Also remember to htmlspecialchars it on output, or they could inject HTML/JS - which is all they can do when they can't touch the database code. Though on the subject, that reminds me a little of http://xkcd.com/327/
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  7. #7
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,931
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jake Arkinstall View Post
    You could use an optimistic filter, i.e. do checks against characters rather than for them.

    I.e. if you detect any punctuation, double-spaces, numbers then fail - otherwise pass. Remember that hyphens (e.g. "ann-marie") are valid. But no matter how much regex you throw in there, there's no stopping them using semantically valid, yet culturally invalid, names - e.g. 'DonaldDuck'. So in that respect I agree with Anthony, that sometimes restrictions are just inspiration for greater creativity.

    As for security exploits, you'll be fine with any string as far as I'm aware, as long as you aren't really, really stupid and put it in exec() or something. Also remember to htmlspecialchars it on output, or they could inject HTML/JS - which is all they can do when they can't touch the database code. Though on the subject, that reminds me a little of http://xkcd.com/327/
    So maybe I need to chill out on making people "proper" name?

    As far as security, I am using Prepared Statements, and I believe that they catch everything so I should be safe there.

    Is that correct?


    Debbie

  8. #8
    SitePoint Enthusiast
    Join Date
    Aug 2011
    Posts
    67
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    They don't catch html and js. You should still filter those.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •