|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2006-11-29 10:23 UTC] tony2001@php.net
[2006-11-29 11:05 UTC] silverbanana at gmx dot de
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Oct 23 21:00:01 2025 UTC |
Description: ------------ preg_replace offers the e modifier to evaluate a replacement string as PHP code and use the result of that code for the replacement. This is a very powerful feature. There is, however one problem: If you want to get the string found by preg_replace things can get complicated, dangerous, even impossible: This should replace anything between a and b by giving it's strlen. $search[0]="/a(.*)b/e"; $replace[0]="strlen('\\1')"; $result=preg_replace($search, $replace, $_GET['in']); Obviously it is possible to do very bad things here, because $_GET['in'] might be a string like: "');dosthbad();$a=('". Expected result: ---------------- It would be good to have a predefined variable available inside the eval'ed PHP code, that just contains all the values for the parenthesis. Assume this is called $found. Then one could write something like this: $search[0]="/a(.*)b/e"; // same as before $replace[0]='strlen($found[1])'; // <- changed $result=preg_replace($search, $replace, $_GET['in']); // same And this time things would be safe. Possibly it might be useful to introduce this functionality under a different modifier, but I think it would be a significant improvement for many applications.