0

Attempting to update a database with the height of a person. I've tried every variation of mysqli_real_escape_string, addslashes and even str_replace in an attempt to update the database with a single and double quote. Let's assume a person 6' 1". How can I upload this value into a database? 

$height = '6\' 1"'; 
$height = mysqli_real_escape_string($mysqli, $height);
$sql = "INSERT INTO persons (height) VALUES ('$height')";

The result returned in the db, when I do get results, is always the same: 

6' 1"

Would it be better to simply accept that it updates this way as my html page will render (6' 1") instead of (6' 1") or is there a better or safer way to update my database?

soma56
  • 59
  • 1
  • 8
  • 2
    Maybe this would work a lot better if you used prepared statements instead of helper functions and string interpolation. – Cobra_Fast Sep 06 '18 at 21:46
  • Agree with @Cobra_Fast prepare - http://php.net/manual/en/mysqli.prepare.php. you can look at embedding qoutes to the statement and set feet/inches as variables – ibex Sep 06 '18 at 21:47
  • 1
    _"when I do get results, is always the same"_ - Is that what the string looks like in the actual database? Looks like there's been some html entities encoding done somewhere. But yes, you should save the string as is, using Prepared Statements. You should then only encode the data when you actually output it. – M. Eriksson Sep 06 '18 at 21:48

1 Answers1

-1

ATTENTION : mysqli_real_escape_string is not always safe

Example : SQL injection that gets around mysql_real_escape_string()

You should use prepared statements or PDO to be safe against SQL Injection

But for saving height you can use simply one INT column and put the height in smallest unit(Inches) then convert it when you want to show it for example 6' 1" is 73 inches. Or reverse when you want to save it.

M4HdYaR
  • 1,124
  • 11
  • 27