I'm confronted with a somewhat weird problem and hopefully someone can make a
suggestion. I have to perform the following 3-step task:
Step 1. Someone provides a string (let's call it the formatting string) which
contains a PHP expression, which will apply a PHP function on another string,
let's call this one the random string. I don't control either the formatting
nor the random string.
Example of formatting string: "trim('%val%')"
Step 2. As you may have guessed, I have to insert the random string in the
formatting string before I can eval() the latter. So I need to replace %val%
with the random string. But I have to be careful, since the random string may
itself contain either double or single quotes, which will break the eval()
later. So I also need an addslashes().
Operations performed:
$for_eval=str_replace('%val%',addslashes($random),$format);
$for_eval='$final_result='.$for_eval.';';
eval($for_eval);
Step 3. After the above, I should have the formatted string in $final_result.
***
So now for the problem: addslashes() indiscriminately escapes with backslashes
both single and double quotes. Strings variables can be specified with either
single or double quotes; each of the cases, in turn, will not un-escape the
other type of quote. For example, a string enclosed in double quotes will not
un-escape \' and a string enclosed in single quotes will not un-escape \".
But my addslashes() escaped both types of quotes. And the formatting string
(see step 1) will necessarily have enclosed the string to be (%val%) in only
one of the two types of quotes. So, after all steps are performed, I may very
well be left with either single or double quotes still escaped, depending on
the type of quotes which were used in the formatting string.
I was under the impression that double quote strings will be interpreted as to
unescape single quotes too. However, the manual says they don't do that; they
unescape some common print sequences (such as tab or newline), double quotes
(of course), backslash itself, and octal or hexa expressions. NOT single quotes.
If only I could be sure of the type of quotes which were used in the
formatting string, I could only escape those by hand. But I can't be sure.
Also, I can't forcefully strip slashes from the final result, because I don't
know which sequences that look like escapes are really escapes or are just
legitimate pieces of string.
If only double quote strings would un-escape both types of quotes; they don't,
so their un-escape action is not a 100% reversion of the addslashes() effect.
Any ideas?
--
Romanian Web Developers - http://ROWD.ORG
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
