@Skliwz — Then that's what you need to address.
If they don't properly escape when inserting into SQL, any name with an apostrophe (which your original question already recognizes as necessary) opens you up to security vulnerabilities.
People with weird names are used to not being able to use them everywhere. The app I'm working on now has a thousand users a month who enter e-mail addresses in the first- or last-name field when signing up.
My last name is too long to fit on many credit cards and government forms, so I just truncate it. Some people might legitimately have an "@" in their names, but this number is minuscule compared with the number who simply are making an error. It's just a much wider world out there than you seem to realize, and your simplistic, Western-oriented rules will simply not work in general.
And that change is initiated by the value itself as it contains particular character sequences that mark the end of the one and the start of the other context.
Just like the So it suffices if you just escape the language and context dependent meta characters (those with the special meaning in that language and context) to get them be treated as literals and not as meta characters.
Regarding numbers, there's only one case with an 8. But even then, using a regex will only guarantee that the input matches the regex, it will not tell you that it is a valid name EDIT after clarifying that this is trying to prevent XSS: A regex on a name field is obviously not going to stop XSS on it's own.
However, this article has a section on filtering that is a starting point if you want to go that route.
Sanitize the inputs and let them enter whatever they want for a name, because deciding what is a valid name and what is not is probably way outside the scope of whatever you're doing; given the range of potential strange - and legal names is nearly infinite.I would not put any constraints on a user name - it may even contain numbers; think of aristocratic names. No matter what regex you come up with, I can find a name somewhere in the world that will break it.That being said, you do need to sanitize input, to avoid the Little Bobby Tables problem.If they want to call themselves Tricyclopltz^2-Glockenschpiel, that's their problem, not yours.A very contentious subject that I seem to have stumbled along here.