PHP :: Doc Bug #64516 :: preg_quote() doesn't work to escape the replacement

preg_quote() doesn't work to escape the replacement

Submitted:

2013-03-25 22:30 UTC

Modified:

2016-08-20 13:02 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

php at richardneill dot org

Assigned:

cmb (profile)

Status:

Closed

Package:

PCRE related

PHP Version:

5.4.13

OS:

all

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	php at richardneill dot org
New email:
PHP Version:		OS:

New Comment:

[2013-03-25 22:30 UTC] php at richardneill dot org

Description:
------------
preg_quote() is great for escaping a user-supplied search string.
There is no matching function to escape a user-supplied replacement string.

My wish is for preg_quote() to have an extra flag "IS_REPLACEMENT" or to have a 
function preg_quote_replacement(), which would escape only backslash and dollar 
signs.

Example below.


Might I also suggest this is a documentation bug, in that there is no explanation 
of the correct way to work around this?

Test script:
---------------
$text = 'Invoice: You owe me *#5* !';
$user_search  = "*#5*";
$user_replace = "*$5*";

$search = preg_quote($user_search, "/");
$replace_bad1 = $user_replace;
$replace_bad2 = preg_quote($user_replace);  

$new_text1 = preg_replace("/$search/", "$replace_bad1", $text);
$new_text2 = preg_replace("/$search/", "$replace_bad2", $text);
echo "Input: $text\nNew1:  $new_text1\nNew2:  $new_text2\n";


Expected result:
----------------
I want to return the string:
    Invoice: You owe me *$5* !


Actual result:
--------------
Input: Invoice: You owe me *#5* !
New1:  Invoice: You owe me ** !
New2:  Invoice: You owe me \*$5\* !

1. the '*' in the search string is not magic, thanks to the normal use of 
preg_quote(). This is what I expect.

2. If I replace with a literal, then '$5' becomes the 5th backreference, which is 
empty.

3. If I preg_quote the replacement, then we get spurious backslashes before the 
'*'s.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-20 12:41 UTC] cmb@php.net

-Summary: wish: add flag to preg_quote to escape the replacement +Summary: preg_quote() doesn't work to escape the replacement -Status: Open +Status: Verified -Type: Feature/Change Request +Type: Documentation Problem -Assigned To: +Assigned To: cmb

[2016-08-20 12:41 UTC] cmb@php.net

In my opinion, there is no need for preg_quote_replacement() to be
in the core, because it appears to be rarely needed, and can
otherwise easily implemented in userland:

function preg_quote_replacement($str) {
    return addcslashes($str, '\\$');
}

See also <https://3v4l.org/ZYue6>.

I agree, that the documentation should be improved to point out
that preg_quote() shouldn't be used on replacement strings.

[2016-08-20 13:02 UTC] cmb@php.net

Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=339916
Log: Fix #64516: preg_quote() doesn't work to escape the replacement

[2016-08-20 13:02 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2020-02-07 06:06 UTC] phpdocbot@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=b64ba59d6aa1f51c14d3240359b228cb6e617cb1
Log: Fix #64516: preg_quote() doesn't work to escape the replacement

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jul 06 07:01:33 2025 UTC