|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35960 preg_replace exploit using 'e' (executor)
Submitted: 2006-01-10 12:14 UTC Modified: 2006-01-10 12:37 UTC
From: djmaze at cpgnuke dot com Assigned:
Status: Not a bug Package: *Regular Expressions
PHP Version: 5.1.1 OS: Windows
Private report: No CVE-ID: None
 [2006-01-10 12:14 UTC] djmaze at cpgnuke dot com
When using preg_replace() with the 'e' modifier you can exploit variables since the $ sign doesn't get backslashed.
Tested on several PHP versions both 4.x and 5.x

Reproduce code:
$exploited = 'my password';
$exploit = '[php]$exploited[/php]';
function highlight_php($txt)
	return "<pre>$txt</pre>";
echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php("\\1")', $exploit); # exploited

echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php(\'\\1\')', $exploit); # no exploit

Expected result:

Actual result:
<pre>my password</pre>


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-10 12:20 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

echo $exploited; is much more easier way to output a variable.
 [2006-01-10 12:31 UTC] djmaze at cpgnuke dot com
If you preg_replace() submitted data thru $_GET or $_POST i can for example put in $_GET something like: $_GET['input'] = '$foobar';

This means either update the documentation with an note stating that using the 'e' modifier the function doesn't backslash $ or force it to do so.

Because "echo $_GET['input'];" outputs $foobar
and the preg_replace() outputs the content of $foobar
 [2006-01-10 12:37 UTC]
If this modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, *evaluates it as PHP code*, and uses the result for replacing the search string. Single and double quotes are escaped by backslashes in substituted backreferences.

I don't see a reason for "e" to backslash "$". 
This is expected and well documented.
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC