ID: 12668 Updated by: andrei Reported By: [EMAIL PROTECTED] Status: Analyzed Bug Type: PCRE related Operating System: FreeBSD 4.0 PHP Version: 4.0.6 New Comment: I could change it so that only " and \ are slashed. From what I remember about some of the complaints before addslashes behavior was implemented, people had security concerns about using some external vars as parts of eval strings. If the vars contained some quotes, some unexpected or dangerous code could be evaluated.. Previous Comments: ------------------------------------------------------------------------ [2001-08-09 14:07:14] [EMAIL PROTECTED] Ah - I see - so what I'm seeing is actually a symptom of the basic issue that addslashes() is not a perfect reciprocal to putting addslashes-affected characters inside a string - i.e.: <?php // double-quoted strings echo "\""; // produces " echo "\\"; // produces \ // but echo "\'"; // produces \' // single-quoted strings echo '\''; // produces ' echo '\\'; // produces \ // but echo '\"'; // produces \" ?> whereas in mysql: select "\""; # produces " select "\\"; # produces \ select "\'"; # produces ' and perl is yet again different (with strings in single-quotes anyway): print "\""; # produces " print "\\"; # produces \ print "\'"; # produces ' print '\''; # produces ' print '\\'; # produces \\ print '\"'; # produces " I suppose backward compatibility would prevent this core behavior from being changed at this stage - it's just kinda screwy that both single-quoting and double-quoting of strings is a bit of a compromise in terms of slashed characters. Perhaps instead of sending preg_replace carry-forward values through the entire addslashes routine, only " and \ could be returned as slashed, and users could stick with using double-quotes for strings within the (eval'd) replace string... that would prevent people from having to use a hack get it to work as expected. Thanks, Chuck ------------------------------------------------------------------------ [2001-08-09 09:19:18] [EMAIL PROTECTED] of course I meant addslashes() ------------------------------------------------------------------------ [2001-08-09 09:18:47] [EMAIL PROTECTED] how about creating either two different functions, or another attribute to preg_replace, that you can set true/false to run that add_slashes or not? ------------------------------------------------------------------------ [2001-08-09 09:03:31] [EMAIL PROTECTED] This is because preg_replace() runs addslashes() internally on the captured subpatterns before substrituting them into the replacement string. It didn't used to but a few people complained that it was really hard to pass $n to a function because of single and double-quote conflicts. To be frank, I'm not sure how to solve this problem adequately, one group of people want the addslashes() run, the other one doesn't. ------------------------------------------------------------------------ [2001-08-08 21:06:50] [EMAIL PROTECTED] Simple problem - the script: <?php echo preg_replace("/'/e", "\"$0\"", "'"); // that's double-quote, slash, single-quote, slash, e, double-quote // then double-quote, escaped double-quote, $0, escaped double-quote, double-quote // then double-quote, single-quote, double-quote // meaning = "replace all occurrences of single-quote with the same string matched during the search - i.e. single-quote" ?> should produce one plain single-quote, but instead it produces an escaped single-quote. No other character seems to exhibit this behavior. Configuration: './configure' '--prefix=/usr/local/php4' '--with-mysql' '--with-apxs=/usr/local/sbin/apxs' '--enable-track-vars' '--with-gd=/usr/local' '--with-zlib-dir=shared' '--with-ttf' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr/local' '--with-tiff-dir=/usr/local' '--with-mcrypt' '--with-pdflib' No other unusual configuration setups ------------------------------------------------------------------------ Edit this bug report at http://bugs.php.net/?id=12668&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]