|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77364 preg_quote incorrectly escapes # character
Submitted: 2018-12-28 17:00 UTC Modified: 2019-01-02 09:32 UTC
From: peku33 at gmail dot com Assigned:
Status: Not a bug Package: *Regular Expressions
PHP Version: 7.3.0 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: peku33 at gmail dot com
New email:
PHP Version: OS:


 [2018-12-28 17:00 UTC] peku33 at gmail dot com
preg_quote function escapes # character, while it shouldn't.

This breaks IPBoard 4.3.6 forums in which friendly urls uses custom regexes with #, @, ? characters in url templates. Urls are passed through preg_quote function and # is replaced with \#. In next section {#} should be replaced with (\d+), but this fails, since there is {#} but {\#}.

PHP 7.3.0-2 (cli) (built: Dec 17 2018 09:51:53) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.0-dev, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.0-2, Copyright (c) 1999-2018, by Zend Technologies

Test script:

        $inputs = ['#', '?', '@'];
        foreach($inputs as $input)
                var_dump($input, preg_quote($input));

Expected result:
string(1) "#"
string(1) "#"
string(1) "?"
string(2) "\?"
string(1) "@"
string(1) "@"

Actual result:
string(1) "#"
string(2) "\#"
string(1) "?"
string(2) "\?"
string(1) "@"
string(1) "@"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-28 23:05 UTC]
> preg_quote function escapes # character, while it shouldn't.

This has been deliberately done to fix bug #75355.  Unfortunately,
this ticket has missed the deadline[1], and it seems to me that
reverting now could do more harm than good.

[1] <>
 [2019-01-02 09:32 UTC]
-Status: Open +Status: Not a bug
 [2019-01-02 09:32 UTC]
Yeah, this is an intentional change (and documented on, and I don't believe we will go back on it. "#" is a special character inside regular expressions under some circumstances, and not escaping it could result in a security issue.

In your particular case, it looks like you should be able to accommodate the new behavior by replacing both '\#' and '#' with '\d'.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Jul 25 16:01:28 2024 UTC