-1
因此,我已经完成了大量我正在处理的网站,但我现在想要从用户那里清理数据。如何清理php/mysql的工作?
该网站是一个拍卖风格的网站。存在向用户询问关于他们想要拍卖的物品的数据的表格。当窗体的帖子,该数据被输入变量是在PHP,然后提交到数据库,因为这样的:
if(isset($_POST['title'])) {
$allowedExts = array("gif", "jpeg", "jpg", "png");//array of allowed extensions
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
/*
* Set variables for the _POST data (except the file).
*/
$title = $_POST['title'];
$description = $_POST['description'];
$type = $_POST['description'];
$startPrice = $_POST['startPrice'];
$reservePrice = $_POST['reservePrice'];
$buyPrice = $_POST['buyPrice'];
然后验证与形式上传的文件是有效的格式和大小的图像,将其复制到其永久位置,并设置图像的URL变量。
然后进入数据库是这样的:
if (!$this->db->query("INSERT INTO tbl_auction_listing VALUES(NULL, '$userid', '$title', '$description', '$img_url', '16', NOW(), NOW() + INTERVAL 5 DAY, '$startPrice', '$reservePrice', '$buyPrice', '0', '1')")) {
echo '<h2> Item did not enter successfully, please try again </h2>';
//redirect(site_url() . 'user/fail/'); exit();
}
它很重要的是,用户不能使用任何自定义HTML,或在PHP退出当前命令,使他们能够执行shell命令。
无论如何,一旦该项目数据从数据库以后提取,它的格式与此类似(省略了一些行,只是想你看到它是如何编码为例)
$query = $this->db->query("SELECT * FROM item{$item} WHERE winning = '1';");
foreach ($query->result() as $row)
{
$currentHighBid = $row->bid;
// if the row is null, it means there's no bids- initialize variables and set the qualifying bid to 100 satoshi.
if ($currentHighBid == NULl) {
$currentHighBid = NULL;
$currentWinner = NULL;
$winnerMaxBid = NULL;
$ip = NULL;
$winning = NULL;
$qualifyingbid = $startprice;
$displayQualifyingBid = number_format($qualifyingbid, 8, '.', ''); // format to decimal places rather than scientific notation
}
else {
$currentHighBid = $row->bid;
$currentWinner = $row->user_pk;
$winnerMaxBid = $row->maxbid;
$ip = $row->ip;
$winning = $row->winning;
$qualifyingbid = $currentHighBid * 1.01; // the next allowed bid should be 1% higher than the current bid
$displayQualifyingBid = number_format($qualifyingbid, 8, '.', ''); // format to decimal places rather than scientific notation
}
if ($currentWinner == $userid && $open == 0) //fix for undefined
echo " <h2 class='notice'> You won! Congratulations!</h2>";
//enter the pay form here
if ($currentWinner == $userid && $open == 1) //fix for undefined
echo " <h2 class='notice'> You are currently the high bidder.</h2>";
//enter the pay form here
if ($currentHighBid == NULL) //fix for undefined
echo " <h2 class='notice'> The item currently has no bids</h2>";
else
echo " <h2 class='price'> The current bid is $currentHighBid BTC <a href='/listings/bids/$item'>(Click for Bid History)</a></h2>";
if ($open == 1)
echo " <h2 class='price'> The next acceptable bid is $displayQualifyingBid BTC</h2>";
if ($remaining > 0)
echo "<h2 class='notice'> This item has $remaining remaining.</h2>";
}
如何使确定这些已被正确地转义\消毒了吗?
为了防止恶意代码注入,看看[预处理语句(http://php.net/manual/en/mysqli.quickstart.prepared-statements.php )。为防止HTML注入,请使用[htmlspecialchars](http://php.net/manual/en/function.htmlspecialchars.php)。 – wavemode 2014-09-27 03:34:59
不要。理论上你可以使用[mysql_real_escape_string](http://php.net/manual/en/function.mysql-real-escape-string.php),但忘记这么做很容易,如果你忘记一次,那么你的网站是不安全的。使用[准备语句](http://php.net/manual/en/pdo.prepared-statements.php) – 2014-09-27 03:35:55
一个侧面说明,框架是codeigniter,这是否有所不同,在implimentation? – user3175451 2014-09-27 03:38:15