Should I check length of Name on Registration page?

Question

I had more of a general question not exactly about my code. I was adding validation to my registration code for my site (checking for length and stripping out illegal characters). But I was wondering if I ask for the persons name first & last. Should I check the length of the characters on the name fields?

And if so what would be good min and max length's for names. I was thinking 3-20 characters. But I really dont want to limit the names if someone really does have a name longer then 20 characters. Any feedback would be great thanks :)

Answer 1

I find VARCHAR(32) for first name and last real name fields to be sufficient, and the only thing I would suggest doing to them is a run through htmlspecialchars() before inserting because some people legitimately have "strange" accented or non-ascii characters in their names that most people don't take into account with checks like preg_match('/[a-z]+/i', $name);, and a combination of parameterized queries [you're using those, right] and htmlspecialchars() should protect you from first and second order injection attacks.

You can use iconv() to transliterate/mangle their names into ASCII, but that's hit and miss, plus a pain in the ass, plus some people might take offense at that.

On the other hand if you're worried about space-efficiency with your field length you should know that the VAR in VARCHAR means 'variable length' and a VARCHAR(32) field containing 'Ted' will only take up 4 bytes of storage.