On 8/23/07, John H. Robinson, IV <[EMAIL PROTECTED]> wrote: > > If you know that you are expecting a name, validate that all characters > are valid for names. I would tend to think that would be something like > [A-Za-z ."]+ > > I. Lewis "Scooter" Libby > > (of course, in the real world, you want to allow for fancier > characters, like accents and tildes) >
Here is an interesting post on how difficult it is to validate something as seemingly simple as an email address: http://haacked.com/archive/2007/08/21/i-knew-how-to-validate-an-email-address-until-i.aspx And with email, there is an RFC to fall back on. When validating a name, you just have arbitrary conventions on which to base your regex. Even if you are doing this type of contextual validation, it is still a good idea to use parameterized queries. You generally don't have to filter out the bad stuff yourself, as it is built into the platform (at least it is in .Net and Java). -- Rick -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
