forms - Handling height in web forms securely

Ok, here's a new one for me. Maybe you can appreciate this even if you haven't run across it before.

I have to ask for a users height - not the height of an image or table or what have you.

Imagine trying to search for information on "how to handle height securely"... and I mean height, as in 6'3" tall.

well, I have run into a bit of a problem. Maybe you're chuckling to yourself already. Searching for 'height php' and 'how to handle height with PHP' come back with a million responses on all different aspects of height in html or css, but nothing for a users actual height.

Given that heights have ' and " in them, well... Trying to store this information in a MySQL database securely is causing my brain to melt. Then again, it's late and I've been at this way too long today.

I've tried addslashes(), htmlspecialchars(), mysql_real_escape_string()

Any suggestions that don't involve using a drop down selection menu? .. or reducing the result to inches, storing the inches and later converting inches back to feet?

Why oh why can't people use Metric? (Says the Canadian!)

Ok, I'm going to use two entry boxes for now. One for feet and one for inches. If there is a better way I would like to know as measurements in feet and inches might come up again on a future project.

You have not stated the exact problem you are having.

Why don't you want to use two drop down select boxes?

What part of this do you need help with?

1) The method on the form for inputting the data.
2) Validating the data.
3) Formatting the data into a value that can be ordered/compared/searched.
4) Escaping the data so that it does not break the query.
5) Inserting the data with error checking to see why it might be failing.
6) Retrieving specific data in a specific order.
7) Formatting and outputting the data.

Ahh... that would be

4) Escaping the data so that it does not break the query.

(trying to avoid SQL injection) and at some point in the near future,

7) Formatting and outputting the data.

but I guess that really depends on the method used to get it into the DB in the first place. (eg. addslashes() requires stripslashes()).

6'3", for example could pose some risk if it's not handled securely during the submit or update. Then again, it's not passing to a select statement but it might be at some point.

I found out this morning that the client wants to use a drop down with ranges of height instead, so that settles it. For future reference it would still be a good idea to see what can be done. You never know, the next client might be a home builder who wants to store measurements of homes or something.

Converting the values to inches is is what I've got now and probably the better idea as that gives a better value for manipulation in the future.

Right now it's going into a drop down as a range of values with each range assigned as an integer (< 5'0" = 0, 5'0" to 5'2" = 1, 5'3" - 5'5" = 2, etc etc...). I just don't like using drop downs. It adds an extra bit of work when the value is displayed later. But I get paid by the hour on this one.

You should just store them as two different fields in the db, then format the output however you want...

For example, just store 6 for feet, and 3 for inches, then when you display it add the ' and "

Hope that helps,

Matt