|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47229 preg_quote should escape "-" (minus) as well
Submitted: 2009-01-28 12:23 UTC Modified: 2009-01-28 22:42 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: daniel at code-emitter dot com Assigned: nlopess (profile)
Status: Closed Package: PCRE related
PHP Version: 5.2.8 OS: any, see docs
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
10 + 21 = ?
Subscribe to this entry?

 [2009-01-28 12:23 UTC] daniel at code-emitter dot com
preg_quote does not escape the "-" (minus) character but it should.

Reproduce code:
preg_quote("0-9", '/')

Expected result:
preg_quote("0-9", '/') == "0\-9"

Actual result:
preg_quote("0-9", '/') == "0-9"

Depending on the used string this can become a dead loss of the used regular expression because all characters become valid.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-28 12:38 UTC]
The '-' just have special meaning in the regex when used whithin '[ ]', which are escaped as expected. So, there is no possibility to '-' break something.

var_dump(preg_quote("[0-2]")); // string(7) "\[0-2\]"
 [2009-01-28 12:42 UTC] daniel at code-emitter dot com
preg_match('/^([a-zA-Z0-9\-'.preg_quote("!#$%&'*+/=?^_`{|}~.", '/').']{1,64})@(.*)$/', $address, $matches)

But this will become a problem, when mixing like shown above. An escaped "-" outside of [...] does no harm, but an unescaped "-" inside does.
 [2009-01-28 12:44 UTC] daniel at code-emitter dot com
preg_match('/^([a-zA-Z0-9'.preg_quote("!#$%&'*+-/=?^_`{|}~.", '/').']{1,64})@(.*)$/', $address, $matches)

This will not work. I got this regexp from an example somewhere in the docs, so it seems that I'm not the only one who has built this into his application.
 [2009-01-28 13:23 UTC]
Ah, OK.

Assigning to maintainer...
 [2009-01-28 22:42 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Nov 27 21:03:13 2021 UTC