php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #36703 Can't include a literal plus sign in a character class
Submitted: 2006-03-12 09:01 UTC Modified: 2006-03-20 01:00 UTC
Votes:4
Avg. Score:4.0 ± 1.0
Reproduced:4 of 4 (100.0%)
Same Version:4 (100.0%)
Same OS:3 (75.0%)
From: 5jpck6k02 at sneakemail dot com Assigned:
Status: No Feedback Package: PCRE related
PHP Version: 5.1.2 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2006-03-12 09:01 UTC] 5jpck6k02 at sneakemail dot com 
Description:
------------
A simple regular expression that has worked for years in PHP 4 
suddenly fails under PHP 5. 

Reproduce code:
---------------
foreach($_GET as $val)
	{
		if ( preg_match("/[^a-z0-9_\-\+]/i", $val) )
		{			
			die("<p>Invalid request.</p>");
		}
	}

Expected result:
----------------
The above code is used to filter out bogus GET requests 
containing potential XSS attacks at the top of a script. It 
should allow all legitimate requests comprised of alphanumeric 
characters, underscores, and plus and minus signs, through, 
while kicking anything containing a character not included in 
the character class out,

Actual result:
--------------
The regex matches plus signs contained in query strings even 
though the plus sign is explicitly included in the negated 
character class. I believe it is being interpreted as a 
quantifier when it is meant to be taken literally, I have not 
been able to find any means of successfully including a 
literal plus sign in a character class under PHP 5 to date.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-03-12 09:13 UTC] tony2001@php.net 
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


3 fields in the form: the reproduce code, the expected result and the actual result are not just for fun. 
Please fill them with the appropriate information: the code, the result you expect to get and the result you actually get.
 [2006-03-20 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue May 13 04:01:27 2025 UTC