ID: 12668
Updated by: andrei
Status: Analyzed
Bug Type: PCRE related
Operating System: FreeBSD 4.0
PHP Version: 4.0.6
New Comment:

I could change it so that only " and \ are slashed. From what I remember about some of 
the complaints before addslashes behavior was implemented, people had security 
concerns about using some external vars as parts of eval strings. If the vars 
contained some quotes, some unexpected or dangerous code could be evaluated..

Previous Comments:

[2001-08-09 14:07:14] [EMAIL PROTECTED]

Ah - I see - so what I'm seeing is actually a symptom of the basic issue that 
addslashes() is not a perfect reciprocal to putting addslashes-affected characters 
inside a string - i.e.:

// double-quoted strings
echo "\""; // produces "
echo "\\"; // produces \
// but
echo "\'"; // produces \'

// single-quoted strings
echo '\''; // produces '
echo '\\'; // produces \
// but
echo '\"'; // produces \"

whereas in mysql:

select "\""; # produces "
select "\\"; # produces \
select "\'"; # produces '

and perl is yet again different (with strings in single-quotes anyway):

print "\""; # produces "
print "\\"; # produces \
print "\'"; # produces '

print '\''; # produces '
print '\\'; # produces \\
print '\"'; # produces "

I suppose backward compatibility would prevent this core behavior from being changed 
at this stage - it's just kinda screwy that both single-quoting and double-quoting of 
strings is a bit of a compromise in terms of slashed characters.

Perhaps instead of sending preg_replace carry-forward values through the entire 
addslashes routine, only " and \ could be returned as slashed, and users could stick 
with using double-quotes for strings within the (eval'd) replace string... that would 
prevent people from having to use a hack get it to work as expected.



[2001-08-09 09:19:18] [EMAIL PROTECTED]

of course I meant addslashes()


[2001-08-09 09:18:47] [EMAIL PROTECTED]

how about creating either two different functions, or another
attribute to preg_replace, that you can set true/false to run
that add_slashes or not?


[2001-08-09 09:03:31] [EMAIL PROTECTED]

This is because preg_replace() runs addslashes() internally on the captured 
subpatterns before substrituting them into the replacement string. It didn't used to 
but a few people complained that it was really hard to pass $n to a function because 
of single and double-quote conflicts. To be frank, I'm not sure how to solve this 
problem adequately, one group of people want the addslashes() run, the other one 


[2001-08-08 21:06:50] [EMAIL PROTECTED]

Simple problem - the script:

echo preg_replace("/'/e", "\"$0\"", "'");
// that's double-quote, slash, single-quote, slash, e, double-quote
// then double-quote, escaped double-quote, $0, escaped double-quote, double-quote
// then double-quote, single-quote, double-quote
// meaning = "replace all occurrences of single-quote with the same string matched 
during the search - i.e. single-quote"

should produce one plain single-quote, but instead it produces an escaped 

No other character seems to exhibit this behavior.

 './configure' '--prefix=/usr/local/php4' '--with-mysql' 
'--with-apxs=/usr/local/sbin/apxs' '--enable-track-vars' '--with-gd=/usr/local' 
'--with-zlib-dir=shared' '--with-ttf' '--with-jpeg-dir=/usr/local' 
'--with-png-dir=/usr/local' '--with-tiff-dir=/usr/local' '--with-mcrypt' 

No other unusual configuration setups


Edit this bug report at

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to