如何清理php/mysql的工作？

Question

因此，我已经完成了大量我正在处理的网站，但我现在想要从用户那里清理数据。

该网站是一个拍卖风格的网站。存在向用户询问关于他们想要拍卖的物品的数据的表格。当窗体的帖子，该数据被输入变量是在PHP，然后提交到数据库，因为这样的：

if(isset($_POST['title'])) { 

      $allowedExts = array("gif", "jpeg", "jpg", "png");//array of allowed extensions 
      $temp = explode(".", $_FILES["file"]["name"]); 
      $extension = end($temp); 

      /* 
      * Set variables for the _POST data (except the file). 
      */ 
      $title = $_POST['title']; 
      $description = $_POST['description']; 
      $type = $_POST['description']; 
      $startPrice = $_POST['startPrice']; 
      $reservePrice = $_POST['reservePrice']; 
      $buyPrice = $_POST['buyPrice']; 

然后验证与形式上传的文件是有效的格式和大小的图像，将其复制到其永久位置，并设置图像的URL变量。

然后进入数据库是这样的：

if (!$this->db->query("INSERT INTO tbl_auction_listing VALUES(NULL, '$userid', '$title', '$description', '$img_url', '16', NOW(), NOW() + INTERVAL 5 DAY, '$startPrice', '$reservePrice', '$buyPrice', '0', '1')")) { 
          echo '<h2> Item did not enter successfully, please try again </h2>'; 
          //redirect(site_url() . 'user/fail/'); exit(); 
         } 

它很重要的是，用户不能使用任何自定义HTML，或在PHP退出当前命令，使他们能够执行shell命令。

无论如何，一旦该项目数据从数据库以后提取，它的格式与此类似（省略了一些行，只是想你看到它是如何编码为例）

$query = $this->db->query("SELECT * FROM item{$item} WHERE winning = '1';"); 
     foreach ($query->result() as $row) 
     { 
      $currentHighBid = $row->bid; 
      // if the row is null, it means there's no bids- initialize variables and set the qualifying bid to 100 satoshi. 
      if ($currentHighBid == NULl) { 
       $currentHighBid = NULL; 
       $currentWinner = NULL; 
       $winnerMaxBid = NULL; 
       $ip = NULL; 
       $winning = NULL; 
       $qualifyingbid = $startprice; 
       $displayQualifyingBid = number_format($qualifyingbid, 8, '.', ''); // format to decimal places rather than scientific notation 
      } 
      else { 
       $currentHighBid = $row->bid; 
       $currentWinner = $row->user_pk; 
       $winnerMaxBid = $row->maxbid; 
       $ip = $row->ip; 
       $winning = $row->winning; 
       $qualifyingbid = $currentHighBid * 1.01; // the next allowed bid should be 1% higher than the current bid 
       $displayQualifyingBid = number_format($qualifyingbid, 8, '.', ''); // format to decimal places rather than scientific notation 
      } 
     if ($currentWinner == $userid && $open == 0) //fix for undefined 
      echo " <h2 class='notice'> You won! Congratulations!</h2>"; 
      //enter the pay form here 
     if ($currentWinner == $userid && $open == 1) //fix for undefined 
      echo " <h2 class='notice'> You are currently the high bidder.</h2>"; 
      //enter the pay form here 
     if ($currentHighBid == NULL) //fix for undefined 
      echo " <h2 class='notice'> The item currently has no bids</h2>"; 
     else 
      echo " <h2 class='price'> The current bid is $currentHighBid BTC <a href='/listings/bids/$item'>(Click for Bid History)</a></h2>"; 
     if ($open == 1) 
      echo " <h2 class='price'> The next acceptable bid is $displayQualifyingBid BTC</h2>"; 
     if ($remaining > 0) 
      echo "<h2 class='notice'> This item has $remaining remaining.</h2>"; 
     } 

如何使确定这些已被正确地转义\消毒了吗？

Answer 1

怎么样的功能，可以帮助

function cleanInput($input) { 
    $search = array(
     '@<script[^>]*?>.*?</script>@si', // Strip out javascript 
     '@<[\/\!]*?[^<>]*?>@si',   // Strip out HTML tags 
     '@<style[^>]*?>.*?</style>@siU', // Strip style tags properly 
     '@<![\s\S]*?--[ \t\n\r]*>@'   // Strip multi-line comments 
    ); 
    $output = preg_replace($search, '', $input); 
    return $output; 
}