I'm confronted with a somewhat weird problem and hopefully someone can make a suggestion. I have to perform the following 3-step task:
Step 1. Someone provides a string (let's call it the formatting string) which contains a PHP expression, which will apply a PHP function on another string, let's call this one the random string. I don't control either the formatting nor the random string. Example of formatting string: "trim('%val%')" Step 2. As you may have guessed, I have to insert the random string in the formatting string before I can eval() the latter. So I need to replace %val% with the random string. But I have to be careful, since the random string may itself contain either double or single quotes, which will break the eval() later. So I also need an addslashes(). Operations performed: $for_eval=str_replace('%val%',addslashes($random),$format); $for_eval='$final_result='.$for_eval.';'; eval($for_eval); Step 3. After the above, I should have the formatted string in $final_result. *** So now for the problem: addslashes() indiscriminately escapes with backslashes both single and double quotes. Strings variables can be specified with either single or double quotes; each of the cases, in turn, will not un-escape the other type of quote. For example, a string enclosed in double quotes will not un-escape \' and a string enclosed in single quotes will not un-escape \". But my addslashes() escaped both types of quotes. And the formatting string (see step 1) will necessarily have enclosed the string to be (%val%) in only one of the two types of quotes. So, after all steps are performed, I may very well be left with either single or double quotes still escaped, depending on the type of quotes which were used in the formatting string. I was under the impression that double quote strings will be interpreted as to unescape single quotes too. However, the manual says they don't do that; they unescape some common print sequences (such as tab or newline), double quotes (of course), backslash itself, and octal or hexa expressions. NOT single quotes. If only I could be sure of the type of quotes which were used in the formatting string, I could only escape those by hand. But I can't be sure. Also, I can't forcefully strip slashes from the final result, because I don't know which sequences that look like escapes are really escapes or are just legitimate pieces of string. If only double quote strings would un-escape both types of quotes; they don't, so their un-escape action is not a 100% reversion of the addslashes() effect. Any ideas? -- Romanian Web Developers - http://ROWD.ORG -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php