php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47229 preg_quote should escape "-" (minus) as well
Submitted: 2009-01-28 12:23 UTC Modified: 2009-01-28 22:42 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: daniel at code-emitter dot com Assigned: nlopess
Status: Closed Package: PCRE related
PHP Version: 5.2.8 OS: any, see docs
Private report: No CVE-ID:
 [2009-01-28 12:23 UTC] daniel at code-emitter dot com
Description:
------------
preg_quote does not escape the "-" (minus) character but it should.

Reproduce code:
---------------
preg_quote("0-9", '/')

Expected result:
----------------
preg_quote("0-9", '/') == "0\-9"

Actual result:
--------------
preg_quote("0-9", '/') == "0-9"

Depending on the used string this can become a dead loss of the used regular expression because all characters become valid.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-28 12:38 UTC] felipe@php.net
The '-' just have special meaning in the regex when used whithin '[ ]', which are escaped as expected. So, there is no possibility to '-' break something.

var_dump(preg_quote("[0-2]")); // string(7) "\[0-2\]"
 [2009-01-28 12:42 UTC] daniel at code-emitter dot com
preg_match('/^([a-zA-Z0-9\-'.preg_quote("!#$%&'*+/=?^_`{|}~.", '/').']{1,64})@(.*)$/', $address, $matches)

But this will become a problem, when mixing like shown above. An escaped "-" outside of [...] does no harm, but an unescaped "-" inside does.
 [2009-01-28 12:44 UTC] daniel at code-emitter dot com
preg_match('/^([a-zA-Z0-9'.preg_quote("!#$%&'*+-/=?^_`{|}~.", '/').']{1,64})@(.*)$/', $address, $matches)

This will not work. I got this regexp from an example somewhere in the docs, so it seems that I'm not the only one who has built this into his application.
 [2009-01-28 13:23 UTC] felipe@php.net
Ah, OK.

Assigning to maintainer...
 [2009-01-28 22:42 UTC] nlopess@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 02:02:10 2014 UTC