-1
因此,我已經完成了大量我正在處理的網站,但我現在想要從用戶那裏清理數據。如何清理php/mysql的工作?
該網站是一個拍賣風格的網站。存在向用戶詢問關於他們想要拍賣的物品的數據的表格。當窗體的帖子,該數據被輸入變量是在PHP,然後提交到數據庫,因爲這樣的:
if(isset($_POST['title'])) {
$allowedExts = array("gif", "jpeg", "jpg", "png");//array of allowed extensions
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
/*
* Set variables for the _POST data (except the file).
*/
$title = $_POST['title'];
$description = $_POST['description'];
$type = $_POST['description'];
$startPrice = $_POST['startPrice'];
$reservePrice = $_POST['reservePrice'];
$buyPrice = $_POST['buyPrice'];
然後驗證與形式上傳的文件是有效的格式和大小的圖像,將其複製到其永久位置,並設置圖像的URL變量。
然後進入數據庫是這樣的:
if (!$this->db->query("INSERT INTO tbl_auction_listing VALUES(NULL, '$userid', '$title', '$description', '$img_url', '16', NOW(), NOW() + INTERVAL 5 DAY, '$startPrice', '$reservePrice', '$buyPrice', '0', '1')")) {
echo '<h2> Item did not enter successfully, please try again </h2>';
//redirect(site_url() . 'user/fail/'); exit();
}
它很重要的是,用戶不能使用任何自定義HTML,或在PHP退出當前命令,使他們能夠執行shell命令。
無論如何,一旦該項目數據從數據庫以後提取,它的格式與此類似(省略了一些行,只是想你看到它是如何編碼爲例)
$query = $this->db->query("SELECT * FROM item{$item} WHERE winning = '1';");
foreach ($query->result() as $row)
{
$currentHighBid = $row->bid;
// if the row is null, it means there's no bids- initialize variables and set the qualifying bid to 100 satoshi.
if ($currentHighBid == NULl) {
$currentHighBid = NULL;
$currentWinner = NULL;
$winnerMaxBid = NULL;
$ip = NULL;
$winning = NULL;
$qualifyingbid = $startprice;
$displayQualifyingBid = number_format($qualifyingbid, 8, '.', ''); // format to decimal places rather than scientific notation
}
else {
$currentHighBid = $row->bid;
$currentWinner = $row->user_pk;
$winnerMaxBid = $row->maxbid;
$ip = $row->ip;
$winning = $row->winning;
$qualifyingbid = $currentHighBid * 1.01; // the next allowed bid should be 1% higher than the current bid
$displayQualifyingBid = number_format($qualifyingbid, 8, '.', ''); // format to decimal places rather than scientific notation
}
if ($currentWinner == $userid && $open == 0) //fix for undefined
echo " <h2 class='notice'> You won! Congratulations!</h2>";
//enter the pay form here
if ($currentWinner == $userid && $open == 1) //fix for undefined
echo " <h2 class='notice'> You are currently the high bidder.</h2>";
//enter the pay form here
if ($currentHighBid == NULL) //fix for undefined
echo " <h2 class='notice'> The item currently has no bids</h2>";
else
echo " <h2 class='price'> The current bid is $currentHighBid BTC <a href='/listings/bids/$item'>(Click for Bid History)</a></h2>";
if ($open == 1)
echo " <h2 class='price'> The next acceptable bid is $displayQualifyingBid BTC</h2>";
if ($remaining > 0)
echo "<h2 class='notice'> This item has $remaining remaining.</h2>";
}
如何使確定這些已被正確地轉義\消毒了嗎?
爲了防止惡意代碼注入,看看[預處理語句(http://php.net/manual/en/mysqli.quickstart.prepared-statements.php )。爲防止HTML注入,請使用[htmlspecialchars](http://php.net/manual/en/function.htmlspecialchars.php)。 – wavemode 2014-09-27 03:34:59
不要。理論上你可以使用[mysql_real_escape_string](http://php.net/manual/en/function.mysql-real-escape-string.php),但忘記這麼做很容易,如果你忘記一次,那麼你的網站是不安全的。使用[準備語句](http://php.net/manual/en/pdo.prepared-statements.php) – 2014-09-27 03:35:55
一個側面說明,框架是codeigniter,這是否有所不同,在implimentation? – user3175451 2014-09-27 03:38:15