PHP :: Bug #20392 :: HTML_Template_IT error with $ in values

Bug #20392

HTML_Template_IT error with $ in values

Submitted:

2002-11-12 09:40 UTC

Modified:

2003-02-11 13:37 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

olonoh at yahoo dot com

Assigned:

pajoye (profile)

Status:

Closed

Package:

PEAR related

PHP Version:

4.2.2

OS:

Linux

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2002-11-12 09:40 UTC] olonoh at yahoo dot com

When an IT variable is set with "$" in the value, the value isn't taken literally.  Example:

<?php

require_once('HTML/IT.php');

$t = new IntegratedTemplate;
$t->setTemplate('{x}', TRUE, TRUE);
$t->setVariable('x', 'I have $1 in my pocket');
$t->show();

?>

The above prints "I have  in my pocket".  

A solution would be to use str_replace() instead of preg_replace() when substituting the value.  Patch is below:

--- /usr/local/lib/php/HTML/IT.php      2002-10-14 12:05:57.000000000 -0500
+++ /usr/local/lib/php/HTML/IT.php      2002-11-04 11:11:31.000000000 -0500
@@ -414,7 +414,7 @@
         if ($this->clearCacheOnParse) {

             foreach ($this->variableCache as $name => $value) {
-                $regs[] = "@" . $this->openingDelimiter . $name . $this->closingDelimiter . "@";
+                $regs[] = $this->openingDelimiter . $name . $this->closingDelimiter;
                 $values[] = $value;
             }
             $this->variableCache = array();
@@ -424,7 +424,7 @@
             foreach ($this->blockvariables[$block] as $allowedvar => $v) {

                 if (isset($this->variableCache[$allowedvar])) {
-                   $regs[]   = "@".$this->openingDelimiter . $allowedvar . $this->closingDelimiter . "@";
+                   $regs[]   = $this->openingDelimiter . $allowedvar . $this->closingDelimiter;
                    $values[] = $this->variableCache[$allowedvar];
                     unset($this->variableCache[$allowedvar]);
                 }
@@ -433,7 +433,7 @@

         }

-        $outer = (0 == count($regs)) ? $this->blocklist[$block] : preg_replace($regs, $values, $this->blocklist[$block]);
+        $outer = (0 == count($regs)) ? $this->blocklist[$block] : str_replace($regs, $values, $this->blocklist[$block]);
         $empty = (0 == count($values)) ? true : false;

         if (isset($this->blockinner[$block])) {

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-11-12 09:51 UTC] derick@php.net

recategorize

[2002-11-14 19:34 UTC] jon at jellybob dot co dot uk

Isn't this the expected behaviour? It's certainly what would happen if used $whatever in a string anywhere else in PHP - I think people would just get confused if their variables suddenly disappeared.

If you want to include a $ sign in the string, you need to escape it (\$).

[2002-11-14 20:06 UTC] nicos@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

[2002-11-14 20:22 UTC] olonoh at yahoo dot com

I think you misunderstood the report.  The $1 was the literal value (note the single quotes around the string).  When IT.php processes the value it's evaluated instead of being taken literally -- I wouldn't think that'd be expected behavior.  Try this modified example:

<?php

require_once('HTML/IT.php');

$value = 'I have $1 in my pocket';

$t = new IntegratedTemplate;
$t->setTemplate('{x}', TRUE, TRUE);
$t->setVariable('x', $value);

print $value."\n";
$t->show();

?>

This prints:

I have $1 in my pocket
I have  in my pocket

The first time it's printed correctly, but after it's processed in IT.php it's printed incorrectly.

[2002-11-14 20:25 UTC] nicos@php.net

Yes I understand it, but it's an excepted behaviour of the ZendEngine. Just add put a backslash before '$'.

Thanks for your report.

[2002-11-14 20:36 UTC] olonoh at yahoo dot com

I'm not clear how that's expected behavior.  I'm not referring to PHP's handling of strings, but of IT.php's usage of preg_replace() instead of str_replace().  I understand that this is necessary:

$value = "\$1"

but if I can print $value to STDOUT with the dollar sign, I don't understand why I have to escape it again before substituting it for a template variable.

If the value isn't explicitly defined in my code, form input for example, I'd have to substitute all '$' for '\$' and then revert back to the original value if I wanted to use it in something other than IT.php.

[2002-11-14 20:43 UTC] nicos@php.net

I got the point. I don't think this can be fixed anyway. I will talk about it with the maintainer.

Thanks you, I will let you know.

[2002-11-14 20:57 UTC] olonoh at yahoo dot com

OK, thanks.  I think the patch I provided should fix the bug.  Looking at the code, the preg_replace() method is used to match the delimeters + variable name even though that will never contain a regular expression.  There also isn't any of that match reused in the substitution (i.e. the $1, $2, \1, \2, etc. variables).  So str_replace() should be an acceptable replacement while fixing the bug.

By the way, I should probably continue in saying that the bug only affects values with characters representing those match variables -- $1, $2, \1, \2, etc. -- not just any dollar sign character combo.

[2002-11-14 21:00 UTC] nicos@php.net

I'm not sure the maintainer want to lose the rapidity of the request just because of that too. ereg() are not enough fast. preg_* is definitly the best way to do a Template class.

Anyway...

[2002-11-14 21:12 UTC] olonoh at yahoo dot com

I never suggested ereg().  I'm suggesting str_replace(), which is much faster than preg_replace() so the patch would actually give it a speed boost.

[2002-11-14 21:20 UTC] nicos@php.net

Ewps, sorry. Probably too late for me.

well I will see that with the maintainer. There is probably a reason to use preg_replace() and not str_replace() even if I don't see it at 4:18am :-)

Thanks you.

[2002-11-15 17:30 UTC] pajoye@php.net

Please upgrade the IT package to 1.0.0.

The new class name is HTML_Template_IT

$t = new HTML_Template_IT();
...

I ll be back with your problem this weekend.

pa

[2002-11-15 18:54 UTC] pajoye@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

$1 to $99 are used by preg_replace in the replacements arguments (see: http://fr2.php.net/manual/en/function.preg-replace.php).

$t = new HTML_Template_IT();
$t->setTemplate('{x}', TRUE, TRUE);
$t->setVariable('x', 'I have $a in my pocket');
$t->show();

thanks for the post

pa

[2003-02-11 13:27 UTC] mansion@php.net

I am wondering if using str_replace instead of preg_replace 
would solve these two problems... Could you please test it 
? Thanks.

[2003-02-11 13:37 UTC] pajoye@php.net

Keep it closed. Replace preg by a str_replace does not solve these problems.

Besides that, can you, please, do not set status if you do not know what the status means.

thank's

pierre

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 10:01:29 2024 UTC