|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #7749 addslashes wrong thing to do
Submitted: 2000-11-10 11:53 UTC Modified: 2000-11-15 10:25 UTC
From: james+phpbug at squish dot net Assigned: andrei (profile)
Status: Closed Package: PCRE related
PHP Version: 4.0.3pl1 OS: n/a
Private report: No CVE-ID: None
 [2000-11-10 11:53 UTC] james+phpbug at squish dot net
Three bugs.


$text = preg_replace('/(foo(bar)?) is a good word/',
                     'wibble', $text);

Simple enough.  How about:

$text = preg_replace(/'(foo(bar)?) is a good word/e',

The first thing to note here is that the idea of substituting into the replacement string like this was a very bad idea, I would encourage you to phase this out in favour of $<num> replacement.

The two obvious things that PHP could get wrong with this form of substitution, PHP gets wrong :-)

Firstly - when \2 does not exist because there was no match, you should should get '', infact with PHP you get ^B, it seems you're simply looking for \<nums> that created matches rather than all \<nums.

Secondly - as a security-aware person, I immediate recognise the problems that '\1' could cause.  A quick look at the code reveals that (thankfully) some effort is being made to quote the inserted string (undocumentedly).  However, the code in PHP uses addslashes() which was designed for database use and not internal PHP single-quote escaping.  PHP's single-quotes only look for \' and \\ and therefore the escaping of " to \" and NULL to \0 in addslashes() will cause spurious backslashes to enter the text.

On an aside note, I also think it was a bad idea to put delimiters into the search string, there is no point to this at all and is just a burden to the user.

PHP does not support all of perl's delimiters, particularly it does not support the (), {}, [] matching delimiters.  This code will not work:

preg_replace("{wibble}", "wobble", $text);


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2000-11-10 11:59 UTC] james+phpbug at squish dot net
Minor fix to report: Rather than \2 become ^B as stated, it infact just remains \2, of course, in order to find out the value I mistakenly printed it in double-quotes so it became ^B.

 [2000-11-15 10:25 UTC]
I believe these issues have been resolved in the latest CVS.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Sep 24 13:03:38 2021 UTC