From the Professional PHP Blog
today there are two "preg_replace gotchas" they wanted to let you know about.
preg_replace is a major workhorse function in PHP. Unfortunately, there are some less than obvious issues with using it properly. Here are two:
- The e modifier causes the replacement value of preg_replace (including backreferences) to be evaluated as PHP code. This is a powerful capability. If you've ever seen an SQL injection, this sounds dangerous. It would be, too, but PHP automatically escapes any backreferences because building the string to evaluate.
- Second, most users of the preg_ functions are familiar with preg_quote for escaping strings to use them as literals in regular expression patterns. However, many people don't realize that the replacement parameter of preg_replace also has special characters.
He also gives code examples of each of these situations and shows you what to do to take the safer route around them...