php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52962 preg_replace should allow all special characters to be escaped
Submitted: 2010-10-01 02:49 UTC Modified: 2010-10-01 03:15 UTC
From: rewilliams at crystaltech dot com Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.3.3 OS: Mac OS X 10.6
Private report: No CVE-ID:
 [2010-10-01 02:49 UTC] rewilliams at crystaltech dot com
Description:
------------
One can use preg_quote() to prep a string for use as the search string with 
preg_replace() and family. However, 
attempting to pass a string escaped by preg_quote() into preg_replace() as the 
replacement string does not work 
because all PCRE-special characters (such as '+') are escaped, but only '$' and 
'\' are unescaped by preg_replace(). 
IOW, this:

	$result = preg_replace("/bar/", '\\\\BAR\$\+', 'foo bar baz');

yields:

	foo \BAR$\+ baz

preg_replace() should treat all escaped characters equally so that one can 
simply call preg_quote() and be done with 
it. As it is now, one must do something like this:

	$safeReplacementString = str_replace(array('\\', '$'), array('\\\\', 
'\\$'), $replacementString);

to avoid problems. Not is that an ugly solution, but I strongly suspect that 
most code out there doesn't do it.

Expected result:
----------------
The preg_replace() family of functions should accept any escaped PCRE special 
character sequence in the replacement text and treat it like the literal 
equivalent. Thus, '\+' should be treated as the literal '+'.

Actual result:
--------------
Presently, the preg_replace() family of functions only accept escaped sequences 
for '\' and '$'. If other PCRE-special characters, such as '+' or '*', are passed 
into the replacement string, the escape sequences (e.g., '/+') are left intact in 
the output result.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-01 03:15 UTC] cataphract@php.net
-Status: Open +Status: Bogus
 [2010-10-01 03:15 UTC] cataphract@php.net
This doesn't make sense. The replacement string is not a regular expression, the only characters with special meaning are \ and $ because they introduce the placeholders. In your solution, you would just be forced to escape characters that don't need escaping at all.

In any case, definitely not a bug.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 22:02:05 2014 UTC