And as Gellweiler mentioned, use With naming, isn't it still a good idea to not allow numbers?Because I don't know if there is any country in the world where numbers actually appear in the name..* On success an Array containing a success flag and the usertype as text.
Depending on the country your website will target, relying on first last name might be fine, but I would definitely not filter the name.
Now look at that, you don't have to worry about pesky, million-ways-to-format addresses!
First the good news: You use prepared queries which is a good thing as it prevents SQLInjection one of the most nasty and common security breaches. But you should improve the following things: Add a CSRF token!!
, otherwise a new administrator can be added by performing a CSRF attack on one of your users that are allowed to add users.
As a general rule add tokens to all forms that use User does not exists.