I find VARCHAR(32)
for first name and last real name fields to be sufficient, and the only thing I would suggest doing to them is a run through htmlspecialchars()
before inserting because some people legitimately have "strange" accented or non-ascii characters in their names that most people don't take into account with checks like preg_match('/[a-z]+/i', $name);
, and a combination of parameterized queries [you're using those, right] and htmlspecialchars()
should protect you from first and second order injection attacks.
You can use iconv()
to transliterate/mangle their names into ASCII, but that's hit and miss, plus a pain in the ass, plus some people might take offense at that.
On the other hand if you're worried about space-efficiency with your field length you should know that the VAR
in VARCHAR
means 'variable length' and a VARCHAR(32)
field containing 'Ted' will only take up 4 bytes of storage.