ID: 39679
User updated by: silverbanana at gmx dot de
Reported By: silverbanana at gmx dot de
Status: Bogus
Bug Type: PCRE related
Operating System: Any
PHP Version: 6CVS-2006-11-29 (CVS)
New Comment:
The problem might be, that I cannot filter the string without messing
things up or loosing elegance. Ok, maybe using $_GET[something] was a
bad example. Just think, that string was read from some file or any
other source. Then ext/filter will not be an option, will it?
One other point: preg_replace is often enough supposed to do filtering
in the first place. Now, how much sense does it make to have to filter
input to get the filter working.
It's about elegance and speed, not about making things work somehow.
Previous Comments:
------------------------------------------------------------------------
[2006-11-29 10:23:18] [EMAIL PROTECTED]
You must filter all the data coming from external sources.
ext/filter is one of the tools you can use for that.
------------------------------------------------------------------------
[2006-11-29 10:12:43] silverbanana at gmx dot de
Description:
------------
preg_replace offers the e modifier to evaluate a replacement string as
PHP code and use the result of that code for the replacement. This is a
very powerful feature. There is, however one problem:
If you want to get the string found by preg_replace things can get
complicated, dangerous, even impossible:
This should replace anything between a and b by giving it's strlen.
$search[0]="/a(.*)b/e";
$replace[0]="strlen('\\1')";
$result=preg_replace($search, $replace, $_GET['in']);
Obviously it is possible to do very bad things here, because
$_GET['in'] might be a string like: "');dosthbad();$a=('".
Expected result:
----------------
It would be good to have a predefined variable available inside the
eval'ed PHP code, that just contains all the values for the
parenthesis. Assume this is called $found. Then one could write
something like this:
$search[0]="/a(.*)b/e"; // same as before
$replace[0]='strlen($found[1])'; // <- changed
$result=preg_replace($search, $replace, $_GET['in']); // same
And this time things would be safe. Possibly it might be useful to
introduce this functionality under a different modifier, but I think it
would be a significant improvement for many applications.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=39679&edit=1
