You could use an optimistic filter, i.e. do checks against characters rather than for them.
I.e. if you detect any punctuation, double-spaces, numbers then fail - otherwise pass. Remember that hyphens (e.g. "ann-marie") are valid. But no matter how much regex you throw in there, there's no stopping them using semantically valid, yet culturally invalid, names - e.g. 'DonaldDuck'. So in that respect I agree with Anthony, that sometimes restrictions are just inspiration for greater creativity.
As for security exploits, you'll be fine with any string as far as I'm aware, as long as you aren't really, really stupid and put it in exec() or something. Also remember to htmlspecialchars it on output, or they could inject HTML/JS - which is all they can do when they can't touch the database code. Though on the subject, that reminds me a little of http://xkcd.com/327/