ID: 30552 Updated by: [EMAIL PROTECTED] Reported By: cristic at interaktonline dot com -Status: Open +Status: Bogus Bug Type: Apache2 related Operating System: Windows XP Home Edition PHP Version: 4.3.9 New Comment:
Not PHP bug. (PCRE has limitations..) Previous Comments: ------------------------------------------------------------------------ [2004-11-10 09:18:45] cmarin at interaktonline dot com I'm back: The bug appears to have a memory allocation issue when tries to split the string. A work around is the use of the 's' modifier. The following RegExp having the same results works: '/^(\s|\n|\r)*select.*limit\s+-?[0-9]+(\s|\n|\r)*(,( \s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/ims' ------------------------------------------------------------------------ [2004-10-25 16:31:44] cristic at interaktonline dot com Description: ------------ Crashing configurations: Apache 2.0.50 with PHP 4.3.7, 4.3.8, 4.3.9 or Apache 2.0.48 with PHP 4.3.6 OS Win XP Home Edition The code below is not crashing with PHP 4.3.7, 4.3.8 or 4.3.9 and Apache 1.3.31 same OS. Reproduce code: --------------- <?php $sql = "SELECT sur_survey_ssr.id_ssr,sur_survey_ssr.name_ssr, sur_survey_ssr.welcome_ssr,sur_survey_ssr.thankyou_ssr, sur_survey_ssr.footer_ssr,sur_survey_ssr.header_ssr, sur_survey_ssr.startdate_ssr,sur_survey_ssr.enddate_ssr, sur_survey_ssr.url_ssr,sur_survey_ssr.active_ssr, count(s2.id_srs) as responses, count(s1.id_srs) as test FROM sur_survey_ssr LEFT JOIN sur_response_srs s2 ON id_ssr=s2.idssr_srs LEFT JOIN sur_response_srs s1 ON id_ssr=s1.idssr_srs AND s1.test_srs=1 WHERE 1=1 GROUP BY sur_survey_ssr.id_ssr ORDER BY startdate_ssr DESC"; if (preg_match('/^(\s|\n|\r)*select(.|\n|\r)*limit\s+-?[0-9]+(\s|\n|\r)*(,(\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/im', $sql, $matches)){ die('a'); }else{ die('b'); } ?> Expected result: ---------------- - The regular expression should match any string which start with 'SELECT' SQL keyword and ending with a LIMIT SQL condition. Actual result: -------------- - When this specific string is specified, contained into the $sql variable, the apache process is crashing. - Backtracking the problem I found out that the following regular expression is stop crashing the Web Server: '/^(\s|\n|\r)*select(\n|\r)*limit\s+-?[0-9]+(\s|\n|\r)*(,(\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/im' - the crash appears immediate, its not an infinite loop ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=30552&edit=1