On names
Trust no one
Input validation has been something of an obsession of mine ever since I picked up PHP back in the 90s. You can never trust user input. At all. To give an example, back when contact forms (without CAPTCHAs) were a thing that existed, many of them were abused to send spam to random people. How? By abusing naïve input validation in combination with PHP’s extremely shitty mail() header implementation. Instead of accepting headers as an array of headers – and only as an array of headers; it accepts them as a CRLF deliminated list of strings. So if you have an input field with the sender’s email address, and you want to helpfully include this in a From header in your email, you’d better validate the thing properly … because if not, spammers will abuse that From address to include CC or BCC headers and they will peddle their prick enhancing pills using your mail server. Or so it used to go, PHP’s implementation has improved somewhat, and developers aren’t as dumb as we were back then.
Ahem. I got a bit sidetracked there. Input validation. Important, yes.
Can’t trust users, in part because they make mistakes, and in part because you can’t tell them apart from abusers. Some things are easier to validate than others. Addresses are very nearly impossible to validate, so don’t even bother. Seriously, if your address field is anything other than a textarea, you’re doing it wrong, and I hope your service is limited to a single country/region.
Names
Names are strange, and not as easy to validate as you might think. One of my coworkers, let’s call her Jo, was recently unable to buy a train ticket. The order form had a First Name field and a Last Name field. Apparently her name “Jo” was too short. Even though there are literally thousands of people with this name in the country. And there are tens millions of people of people with first names with 2 characters or less. Maybe hundreds of millions if you count the Chinese and the Japanese. The same goes for last names, only they are even worse.
Length validation is stupid. It’s probably safe to truncate overly long names if you have limited storage, but there is no lower limit. I know a few people with the surname O. That’s a single letter. They usually have to choose between lying about their name, or not being able to use a service.
Not everyone even has a last name. It’s stupid to assume that they do. I’m not talking about Cher or Bono. I’m talking about many Asians, about older Turks, indigenous Americans. Maybe they’re not the target audience of your fancy webapp, but it’s good to keep your assumptions in check anyway – you know, the whole ass; you; me thing.
There is only one correct way to ask for a user’s name and to validate it: use a single field with minimum length 1. None of this first/last bullshit, and especially not the ridiculous Dutch infix nonsense! People generally know how to write their name, they don’t need your help, and they certainly don’t need your misplaced judgement.
Talk to me
If you want to be really fancy, and you want to address your user in some way (like “Hey, Elric!”), then ask the user how they want to be addressed. Don’t magically assume that a first name is OK, or that you can pick a title from some limited list of nonsense. I actively resent being called “Mister”. Other people insist on it. If you’re limiting the options to “Mr., Miss, Ms., and Mrs.”, you can expect an angry mob with pitchforks some point soon. And rightly so. Not asking for this information is easier and better. Unless you actively want to address someone in a specific way (in which case, ask!), this information serves no purpose. Or are you somehow trying to guess the genital configuration of your users based on a silly form? In which case you’re probably falling foul of the GDPR. It also seems like a dumb thing to do.
Remember, asking for information you don’t need is a cardinal sin. And if you are asking, make sure you’re not implicitly passing judgement or rejecting people based on incorrect assumptions. Be liberal in what you accept, but conservative in what you send.
— Elric