php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #64516 preg_quote() doesn't work to escape the replacement
Submitted: 2013-03-25 22:30 UTC Modified: 2016-08-20 13:02 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: php at richardneill dot org Assigned: cmb (profile)
Status: Closed Package: PCRE related
PHP Version: 5.4.13 OS: all
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at richardneill dot org
New email:
PHP Version: OS:

 

 [2013-03-25 22:30 UTC] php at richardneill dot org
Description:
------------
preg_quote() is great for escaping a user-supplied search string.
There is no matching function to escape a user-supplied replacement string.

My wish is for preg_quote() to have an extra flag "IS_REPLACEMENT" or to have a 
function preg_quote_replacement(), which would escape only backslash and dollar 
signs.

Example below.


Might I also suggest this is a documentation bug, in that there is no explanation 
of the correct way to work around this?

Test script:
---------------
$text = 'Invoice: You owe me *#5* !';
$user_search  = "*#5*";
$user_replace = "*$5*";

$search = preg_quote($user_search, "/");
$replace_bad1 = $user_replace;
$replace_bad2 = preg_quote($user_replace);  

$new_text1 = preg_replace("/$search/", "$replace_bad1", $text);
$new_text2 = preg_replace("/$search/", "$replace_bad2", $text);
echo "Input: $text\nNew1:  $new_text1\nNew2:  $new_text2\n";


Expected result:
----------------
I want to return the string:
    Invoice: You owe me *$5* !


Actual result:
--------------
Input: Invoice: You owe me *#5* !
New1:  Invoice: You owe me ** !
New2:  Invoice: You owe me \*$5\* !

1. the '*' in the search string is not magic, thanks to the normal use of 
preg_quote(). This is what I expect.

2. If I replace with a literal, then '$5' becomes the 5th backreference, which is 
empty.

3. If I preg_quote the replacement, then we get spurious backslashes before the 
'*'s.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-20 12:41 UTC] cmb@php.net
-Summary: wish: add flag to preg_quote to escape the replacement +Summary: preg_quote() doesn't work to escape the replacement -Status: Open +Status: Verified -Type: Feature/Change Request +Type: Documentation Problem -Assigned To: +Assigned To: cmb
 [2016-08-20 12:41 UTC] cmb@php.net
In my opinion, there is no need for preg_quote_replacement() to be
in the core, because it appears to be rarely needed, and can
otherwise easily implemented in userland:

function preg_quote_replacement($str) {
    return addcslashes($str, '\\$');
}

See also <https://3v4l.org/ZYue6>.

I agree, that the documentation should be improved to point out
that preg_quote() shouldn't be used on replacement strings.
 [2016-08-20 13:02 UTC] cmb@php.net
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=339916
Log: Fix #64516: preg_quote() doesn't work to escape the replacement
 [2016-08-20 13:02 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2020-02-07 06:06 UTC] phpdocbot@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=b64ba59d6aa1f51c14d3240359b228cb6e617cb1
Log: Fix #64516: preg_quote() doesn't work to escape the replacement
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Sun Jul 06 07:01:33 2025 UTC