php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #65283 preg_quote escapes unnecessary characters + Doc
Submitted: 2013-07-18 00:27 UTC Modified: 2013-07-18 05:33 UTC
From: david at grudl dot com Assigned:
Status: Not a bug Package: PCRE related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
 [2013-07-18 00:27 UTC] david at grudl dot com 
Description:
------------
preg_quote() escapes all PCRE metacharacters. It also escapes these characters = ! < > : which have no special meaning. I am unable to find out any scenario when these characters should be escaped, do you? For assertions it is enough to escape ?. So they shouldn't be escaped.

There is also problem in documentation, preg_quote escapes \x00, but it is not mentioned.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-18 05:33 UTC] ab@php.net
-Status: Open +Status: Not a bug
 [2013-07-18 05:33 UTC] ab@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

from the doc 

"preg_quote — Quote regular expression characters"

so that's exactly what you blame ;)

the scenario is pretty simple

$pattern = '[/';
preg_match('/' . preg_quote($pattern) . '/', $subj);
 [2013-07-19 22:37 UTC] david at grudl dot com 
Abc, please double-read my issue ;) 

So once more:

1) preg_quote is quoting characters (these =  !  <  > : ) which may not be 
quoted. Could you show me scenario, when these (again, THESE) characters should 
be escaped?

2) in documentation is missing information that preg_quote quotes \x00
 [2013-07-20 09:16 UTC] nikic@php.net 
= is used in (?=, ! is used in (?!, < is used in (?<=, > is used in (?>, : is used in (?:. < and > are also used in (?<...>, \g<...>, etc.

Of course all these might be effectively covered by other escapes (for ? and \), but presumably the idea here is "better safe than sorry" :) There is no harm in escaping more characters than strictly necessary, but quite a lot of harm in missing some edge-case ;)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jan 15 10:01:29 2025 UTC