如何清理php/mysql的工作？

Question

因此，我已經完成了大量我正在處理的網站，但我現在想要從用戶那裏清理數據。

該網站是一個拍賣風格的網站。存在向用戶詢問關於他們想要拍賣的物品的數據的表格。當窗體的帖子，該數據被輸入變量是在PHP，然後提交到數據庫，因爲這樣的：

if(isset($_POST['title'])) { 

      $allowedExts = array("gif", "jpeg", "jpg", "png");//array of allowed extensions 
      $temp = explode(".", $_FILES["file"]["name"]); 
      $extension = end($temp); 

      /* 
      * Set variables for the _POST data (except the file). 
      */ 
      $title = $_POST['title']; 
      $description = $_POST['description']; 
      $type = $_POST['description']; 
      $startPrice = $_POST['startPrice']; 
      $reservePrice = $_POST['reservePrice']; 
      $buyPrice = $_POST['buyPrice']; 

然後驗證與形式上傳的文件是有效的格式和大小的圖像，將其複製到其永久位置，並設置圖像的URL變量。

然後進入數據庫是這樣的：

if (!$this->db->query("INSERT INTO tbl_auction_listing VALUES(NULL, '$userid', '$title', '$description', '$img_url', '16', NOW(), NOW() + INTERVAL 5 DAY, '$startPrice', '$reservePrice', '$buyPrice', '0', '1')")) { 
          echo '<h2> Item did not enter successfully, please try again </h2>'; 
          //redirect(site_url() . 'user/fail/'); exit(); 
         } 

它很重要的是，用戶不能使用任何自定義HTML，或在PHP退出當前命令，使他們能夠執行shell命令。

無論如何，一旦該項目數據從數據庫以後提取，它的格式與此類似（省略了一些行，只是想你看到它是如何編碼爲例）

$query = $this->db->query("SELECT * FROM item{$item} WHERE winning = '1';"); 
     foreach ($query->result() as $row) 
     { 
      $currentHighBid = $row->bid; 
      // if the row is null, it means there's no bids- initialize variables and set the qualifying bid to 100 satoshi. 
      if ($currentHighBid == NULl) { 
       $currentHighBid = NULL; 
       $currentWinner = NULL; 
       $winnerMaxBid = NULL; 
       $ip = NULL; 
       $winning = NULL; 
       $qualifyingbid = $startprice; 
       $displayQualifyingBid = number_format($qualifyingbid, 8, '.', ''); // format to decimal places rather than scientific notation 
      } 
      else { 
       $currentHighBid = $row->bid; 
       $currentWinner = $row->user_pk; 
       $winnerMaxBid = $row->maxbid; 
       $ip = $row->ip; 
       $winning = $row->winning; 
       $qualifyingbid = $currentHighBid * 1.01; // the next allowed bid should be 1% higher than the current bid 
       $displayQualifyingBid = number_format($qualifyingbid, 8, '.', ''); // format to decimal places rather than scientific notation 
      } 
     if ($currentWinner == $userid && $open == 0) //fix for undefined 
      echo " <h2 class='notice'> You won! Congratulations!</h2>"; 
      //enter the pay form here 
     if ($currentWinner == $userid && $open == 1) //fix for undefined 
      echo " <h2 class='notice'> You are currently the high bidder.</h2>"; 
      //enter the pay form here 
     if ($currentHighBid == NULL) //fix for undefined 
      echo " <h2 class='notice'> The item currently has no bids</h2>"; 
     else 
      echo " <h2 class='price'> The current bid is $currentHighBid BTC <a href='/listings/bids/$item'>(Click for Bid History)</a></h2>"; 
     if ($open == 1) 
      echo " <h2 class='price'> The next acceptable bid is $displayQualifyingBid BTC</h2>"; 
     if ($remaining > 0) 
      echo "<h2 class='notice'> This item has $remaining remaining.</h2>"; 
     } 

如何使確定這些已被正確地轉義\消毒了嗎？

Answer 1

怎麼樣的功能，可以幫助

function cleanInput($input) { 
    $search = array(
     '@<script[^>]*?>.*?</script>@si', // Strip out javascript 
     '@<[\/\!]*?[^<>]*?>@si',   // Strip out HTML tags 
     '@<style[^>]*?>.*?</style>@siU', // Strip style tags properly 
     '@<![\s\S]*?--[ \t\n\r]*>@'   // Strip multi-line comments 
    ); 
    $output = preg_replace($search, '', $input); 
    return $output; 
}