|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #75959 Support a function to escape glob metacharacters
Submitted: 2018-02-14 09:49 UTC Modified: 2018-07-23 12:30 UTC
From: maggus dot staab+php at googlemail dot com Assigned:
Status: Open Package: Filesystem function related
PHP Version: 7.0.27 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: maggus dot staab+php at googlemail dot com
New email:
PHP Version: OS:


 [2018-02-14 09:49 UTC] maggus dot staab+php at googlemail dot com
Atm there is no api to escape glob patterns.

this makes glob() useless for cases in which dynamic (maybe even user-supplied contents will be embedded into the glob pattern).

Test script:
$glob = 'hallo*lala'; // I want this string to match the literal '*' char 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-14 10:01 UTC]
-Status: Open +Status: Feedback
 [2018-02-14 10:27 UTC] maggus dot staab+php at googlemail dot com
thx for the pointer.

this method does 90% of what I need, but is not exactly what I search.

e.g. glob() supports {} (curly-braces) but those are not escaped with this function.

additionally quotemeta() escapes the ^ character which is not a meta-char in the "glob" sense.
 [2018-02-14 11:44 UTC]
-Status: Feedback +Status: Open -Package: *General Issues +Package: Filesystem function related
 [2018-02-14 11:44 UTC]
According to glob(3) it sounds like extra backslashes aren't harmful. According to glob(7) using a ^ (as in [^]) is defined to be undefined so maybe it should be escaped to be safe, but I do see that quotemeta won't get ! or ~

The next step would be addcslashes. I'm sure POSIX PHP's glob uses the system's glob(3) which has ?*[!]{~} as special - don't know how Windows PHP's glob works.

While {}s aren't special unless the GLOB_BRACE option is used, nevermind that GLOB_NOESCAPE prevents escaping from doing anything at all, I think it would be best if the function worked like quotemeta and preg_quote and simply escaped everything that could possibly be used. Speaking of, I could see situations where periods and slashes could be special too, even though they're not actually metacharacters.

Personally I would just use addcslashes depending on my use case, like to allow * ? but disallow everything else. Listing the metacharacters in the glob docs would be helpful to that end. In fact if it weren't for the fact that quotemeta exists, old as it is, I would say let's just document what's special and tell people how to escape what they don't want.
 [2018-02-14 12:30 UTC] maggus dot staab+php at googlemail dot com
in case quotemeta() is the correct escaping function for glob and its caveats would be described on its doc page it should also be cross-linked via "see also" from the "glob()" docs page.
 [2018-07-23 12:30 UTC]
> […] - don't know how Windows PHP's glob works.

For Windows we have an own implementation[1], which enforces

[1] <>
[2] <>
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jul 16 02:01:27 2024 UTC