I have run into a problem with filter_var(), preg_match(), and single quotes.
I am trying to sanitize and validate the last name for illegal characters. It works with almost everything but apparently last names containing single quotes like O'Corner are resulting in error.
I mean the $errors[] = 'Please use only alphabets, period, dash and spaces in the last name.'; is executing whenever I use single quotes in the user input field.
HTML code:
<input type="text" class="form-control" name="last_name" id="last_name" placeholder="Enter last name" maxlength="40" required value="<?php if (isset($_POST['last_name'])) { echo htmlspecialchars($_POST['last_name'], ENT_QUOTES); } ?>" title="Alphabets, quotes, dash, spaces and max 40 characters" pattern="^[a-zA-Z][a-zA-Z' -]*$">
PHP code:
$lname = filter_var($_POST['last_name'], FILTER_SANITIZE_STRING);
if (!empty($lname)) {
if (!preg_match("/^[a-zA-Z][a-zA-Z' -]*$/", $lname)) {
$errors[] = 'Please use only alphabets, period, dash and spaces in last name.';
} else if (strlen($lname) > 40) {
$errors[] = 'last name should not exceed 40 characters';
} else {
$lname = trim($lname);
}
} else {
$errors[] = 'Please enter your last name.';
}
I tried escaping the single quotes in the regular expression with backslash. But that did not work.
If I replace$lname = filter_var($_POST['last_name'], FILTER_SANITIZE_STRING);
with$lname = $_POST['lname'];
it works fine.
But I'm still not sure what's wrong with using string containing single quotes and $lname = filter_var($_POST['last_name'], FILTER_SANITIZE_STRING); with preg_match() method.
Could anyone help me?
Thank you in advance.
