To follow up on James's note for whom wasn't reading today's short
conversation:
This topic popped up today as the security issue and ended up being
rather a missing warning in the documentation.
The two functions eval() and preg_replace() (when used with /e modifier)
evaluate strings as native
A warning about preg_replace() command needs to be added to
the docs page for this command. The preg_replace() command
can use the "/e" modifier to have the "replacement" be
eval()d by PHP, just like perl.
There is a high potential for exploitable PHP code if a
programmer uses the /e modifier and
