I suspect I am going to feel really stupid after posting this but here goes. I have two main questions:
1) What is an appropriate regex to use for the registration id? Currently I have the following but I have not been able to find any docs to support whether this is sufficient:
'/^[a-z0-9_-]{40,255}$/i'
2) Is it "valid" for a regID to contain "--"? I know that android can't go worrying about what every language - in this case mysql - uses for comments, etc. but this caught me a little off guard. Up to this point I had always flagged that in my sanitizer(s) because of the possibility of being used for sql injection.
The format of the registration ID is an implementation detail. Google might change it anytime without any notice. Why do you want to validate it? If storing in MySQL is a concern, use mysql_real_escape_string() just in case, or mysqli::real_escape_string() with mysqli on PHP, or parameters.
It's like people's names. You might think it's all alphabetic, then O'Neil comes along. Escape it just in case.