ID: 35960 Updated by: [EMAIL PROTECTED] Reported By: djmaze at cpgnuke dot com -Status: Open +Status: Bogus Bug Type: *Regular Expressions Operating System: Windows PHP Version: 5.1.1 New Comment:
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php echo $exploited; is much more easier way to output a variable. Previous Comments: ------------------------------------------------------------------------ [2006-01-10 12:14:58] djmaze at cpgnuke dot com Description: ------------ When using preg_replace() with the 'e' modifier you can exploit variables since the $ sign doesn't get backslashed. Tested on several PHP versions both 4.x and 5.x Reproduce code: --------------- <?php error_reporting(E_ALL); $exploited = 'my password'; $exploit = '[php]$exploited[/php]'; function highlight_php($txt) { return "<pre>$txt</pre>"; } echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php("\\1")', $exploit); # exploited echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php(\'\\1\')', $exploit); # no exploit ?> Expected result: ---------------- <pre>$exploited</pre> Actual result: -------------- <pre>my password</pre> ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=35960&edit=1
