|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52962 preg_replace should allow all special characters to be escaped
Submitted: 2010-10-01 02:49 UTC Modified: 2010-10-01 03:15 UTC
From: rewilliams at crystaltech dot com Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.3.3 OS: Mac OS X 10.6
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: rewilliams at crystaltech dot com
New email:
PHP Version: OS:


 [2010-10-01 02:49 UTC] rewilliams at crystaltech dot com
One can use preg_quote() to prep a string for use as the search string with 
preg_replace() and family. However, 
attempting to pass a string escaped by preg_quote() into preg_replace() as the 
replacement string does not work 
because all PCRE-special characters (such as '+') are escaped, but only '$' and 
'\' are unescaped by preg_replace(). 
IOW, this:

	$result = preg_replace("/bar/", '\\\\BAR\$\+', 'foo bar baz');


	foo \BAR$\+ baz

preg_replace() should treat all escaped characters equally so that one can 
simply call preg_quote() and be done with 
it. As it is now, one must do something like this:

	$safeReplacementString = str_replace(array('\\', '$'), array('\\\\', 
'\\$'), $replacementString);

to avoid problems. Not is that an ugly solution, but I strongly suspect that 
most code out there doesn't do it.

Expected result:
The preg_replace() family of functions should accept any escaped PCRE special 
character sequence in the replacement text and treat it like the literal 
equivalent. Thus, '\+' should be treated as the literal '+'.

Actual result:
Presently, the preg_replace() family of functions only accept escaped sequences 
for '\' and '$'. If other PCRE-special characters, such as '+' or '*', are passed 
into the replacement string, the escape sequences (e.g., '/+') are left intact in 
the output result.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-10-01 03:15 UTC]
-Status: Open +Status: Bogus
 [2010-10-01 03:15 UTC]
This doesn't make sense. The replacement string is not a regular expression, the only characters with special meaning are \ and $ because they introduce the placeholders. In your solution, you would just be forced to escape characters that don't need escaping at all.

In any case, definitely not a bug.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Jul 07 00:05:45 2022 UTC