|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #7749 addslashes wrong thing to do
Submitted: 2000-11-10 11:53 UTC Modified: 2000-11-15 10:25 UTC
From: james+phpbug at squish dot net Assigned: andrei (profile)
Status: Closed Package: PCRE related
PHP Version: 4.0.3pl1 OS: n/a
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: james+phpbug at squish dot net
New email:
PHP Version: OS:


 [2000-11-10 11:53 UTC] james+phpbug at squish dot net
Three bugs.


$text = preg_replace('/(foo(bar)?) is a good word/',
                     'wibble', $text);

Simple enough.  How about:

$text = preg_replace(/'(foo(bar)?) is a good word/e',

The first thing to note here is that the idea of substituting into the replacement string like this was a very bad idea, I would encourage you to phase this out in favour of $<num> replacement.

The two obvious things that PHP could get wrong with this form of substitution, PHP gets wrong :-)

Firstly - when \2 does not exist because there was no match, you should should get '', infact with PHP you get ^B, it seems you're simply looking for \<nums> that created matches rather than all \<nums.

Secondly - as a security-aware person, I immediate recognise the problems that '\1' could cause.  A quick look at the code reveals that (thankfully) some effort is being made to quote the inserted string (undocumentedly).  However, the code in PHP uses addslashes() which was designed for database use and not internal PHP single-quote escaping.  PHP's single-quotes only look for \' and \\ and therefore the escaping of " to \" and NULL to \0 in addslashes() will cause spurious backslashes to enter the text.

On an aside note, I also think it was a bad idea to put delimiters into the search string, there is no point to this at all and is just a burden to the user.

PHP does not support all of perl's delimiters, particularly it does not support the (), {}, [] matching delimiters.  This code will not work:

preg_replace("{wibble}", "wobble", $text);


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2000-11-10 11:59 UTC] james+phpbug at squish dot net
Minor fix to report: Rather than \2 become ^B as stated, it infact just remains \2, of course, in order to find out the value I mistakenly printed it in double-quotes so it became ^B.

 [2000-11-15 10:25 UTC]
I believe these issues have been resolved in the latest CVS.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Sep 24 12:03:37 2021 UTC