Regular expression for validating names and surnames?

Question

Although this seems like a trivial question, I am quite sure it is not :)

I need to validate names and surnames of people from all over the world. How can I do that with a regular expression? If it were only English ones I think that this would cut it:

^[a-z -']+$

However, I need to support also these cases:

• other punctuation symbols as they might be used in different countries (no idea which, but maybe you do!)
• different Unicode letter sets (accented letter, greek, japanese, chinese, and so on)
• no numbers or symbols or unnecessary punctuation or runes, etc..

Is there a standard way of validating these fields I can implement to make sure that our website visitors have a great experience and can actually use their name when registering?

I would be looking for something similar to the many "email address" regexes that you can find on google.

---

For the sake of clarity, I don't need one single regex for the "whole" name. I would expect users to be able to split their name in the two main constituents according to their customs, and not to use suffixes and titles -- which could be contained in other fields if need be.

The main purpose of the question is to validate against XSS and SQL-injection (yes, I already use stored procedures, but I need to future- and idiot-proof the data).

The way any XSS filter will work is by only allowing what is strictly necessary -- not by disallowing known XSS vectors (i.e. disallowing "script", "<", etc...). To get an idea of the incredible variety of attacks that can be used, take a look here: http://ha.ckers.org/xss.html.

Sorry for not mentioning this before, and thus making the question a bit more misterious, but I didn't want to read 30 answers translitterating "disallow the < or > and you are safe!".

---

See here for a good starting point on Unicode character classes in C# Regexes -- which of these are strictly necessary for writing a name? I honestly have no idea of which, but possibly the collective mind of stackoverflow can help?

(I am prepared to force people like Jennifer 8 Lee to write their name in letters ;-)

---

So, I did "bother" to do it myself, because I think nobody else even tried. Guess what? Apparently I did find a proper answer, posted below! It wasn't that hard.

Can you help me find a valid, existing name or a XSS vector that can break that validation?

Answer 1

I would think you would be better off excluding the characters you don't want with a regex. Trying to get every umlaut, accented e, hyphen, etc. will be pretty insane. Just exclude digits (but then what about a guy named "George Forman the 4th") and symbols you know you don't want like @#$%^ or what have you. But even then, using a regex will only guarantee that the input matches the regex, it will not tell you that it is a valid name

EDIT after clarifying that this is trying to prevent XSS: A regex on a name field is obviously not going to stop XSS on it's own. However, this article has a section on filtering that is a starting point if you want to go that route.

http://tldp.org/HOWTO/Secure-Programs-HOWTO/cross-site-malicious-content.html

s/[\<\>\"\'\%\;\(\)\&\+]//g;

Answer 2

I actually wouldn't bother.

No matter what regex you come up with, I can find a name somewhere in the world that will break it.

That being said, you do need to sanitize input, to avoid the Little Bobby Tables problem.

Answer 3

I would just allow everything (except an empty string) and assume the user knows what his name is.

There are 2 common cases:

1. You care that the name is accurate and are validating against a real paper passport or other identity document, or against a credit card.
2. You don't care that much and the user will be able to register as "Fred Smith" (or "Jane Doe") anyway.

In case (1), you can allow all characters because you're checking against a paper document.

In case (2), you may as well allow all characters because "123 456" is really no worse a pseudonym than "Abc Def".

Answer 4

I don’t think that’s a good idea. Even if you find an appropriate regular expression (maybe using Unicode character properties), this wouldn’t prevent users from entering pseudo-names like John Doe, Max Mustermann (there even is a person with that name), Abcde Fghijk or Ababa Bebebe.

Answer 5

Forget about regex. Actually, I'd even say forget about such validation: There's no rules for names.

If you really really want to do something, it would be to check that UnicodeCategory is space, non-spacing marks (aka accents) and alphanumerical, in order to exclude very weird stuff. But even then! you'll probably cause more harm than solve problems.

Answer 6

I doubt that this is feasible - there are just to much Unicode symbols to exclude all unwanted symbols (and how will tell you what Chinese symbols to exclude?) and there are surly to many valid symbols to inlcude them all (and you will have Chinese symbols problem again).

I would not put any constraints on a user name - it may even contain numbers; think of aristocratic names.

Answer 7

Here you go: /.+/. That validates all known names assuming your regex engine can handle UNICODE characters.

Answer 8

BTW, do you plan to only permit the Latin alphabet, or do you also plan to try to validate Chinese, Arabic, Hindi, etc.?

As others have said, don't even try to do this. Step back and ask yourself what you are actually trying to accomplish. Then try to accomplish it without making any assumptions about what people's names are, or what they mean.

Answer 9

As many have said above there are no rules for names and chris said he could find a name in the world that could break the regex. Take Jennifer 8 Lee for example. The best way to go is just to sanitize the input.

Answer 10

It's a very difficult problem to validate something like a name due to all the corner cases possible.

Corner Cases

• Anything anything here

Sanitize the inputs and let them enter whatever they want for a name, because deciding what is a valid name and what is not is probably way outside the scope of whatever you're doing; given the range of potential strange - and legal names is nearly infinite.

If they want to call themselves Tricyclopltz^2-Glockenschpiel, that's their problem, not yours.

Answer 11

I'll try to give a proper answer myself:

The only punctuations that should be allowed in a name are full stop, apostrophe and hyphen. I haven't seen any other case in the list of corner cases.

Regarding numbers, there's only one case with an 8. I think I can safely disallow that.

Regarding letters, any letter is valid.

I also want to include space.

This would sum up to this regex:

^[\p{L} \.'\-]+$

This presents one problem, i.e. the apostrophe can be used as an attack vector. It should be encoded.

So the validation code should be something like this (untested):

var name = nameParam.Trim();
if (!Regex.IsMatch(name, "^[\p{L} \.\-]+$")) 
    throw new ArgumentException("nameParam");
name = name.Replace("'", "'");  //' does not work in IE

Can anyone think of a reason why a name should not pass this test or a XSS or SQL Injection that could pass?

---

complete tested solution

using System;
using System.Text.RegularExpressions;

namespace test
{
    class MainClass
    {
     public static void Main(string[] args)
     {
      var names = new string[]{"Hello World", 
       "John",
       "João",
       "タロウ",
       "やまだ",
       "山田",
       "先生",
       "мыхаыл",
       "Θεοκλεια",
       "आकाङ्क्षा",
       "علاء الدين",
       "אַבְרָהָם",
       "മലയാളം",
       "상",
       "D'Addario",
       "John-Doe",
       "P.A.M.",
       "' --",
       "<xss>",
       "\""
      };
      foreach (var nameParam in names)
      {
       Console.Write(nameParam+" ");
       var name = nameParam.Trim();
       if (!Regex.IsMatch(name, @"^[\p{L}\p{M}' \.\-]+$"))
       {
        Console.WriteLine("fail");
        continue;
       }
       name = name.Replace("'", "&#39;");
       Console.WriteLine(name);
      }
     }
    }
}