ID: 36703 Comment by: no at help dot com Reported By: 5jpck6k02 at sneakemail dot com Status: No Feedback Bug Type: PCRE related Operating System: Linux PHP Version: 5.1.2 New Comment:
http://oakleysunglass.blogspot.com Previous Comments: ------------------------------------------------------------------------ [2006-03-20 01:00:05] php-bugs at lists dot php dot net No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". ------------------------------------------------------------------------ [2006-03-12 09:13:39] [EMAIL PROTECTED] Not enough information was provided for us to be able to handle this bug. Please re-read the instructions at http://bugs.php.net/how-to-report.php If you can provide more information, feel free to add it to this bug and change the status back to "Open". Thank you for your interest in PHP. 3 fields in the form: the reproduce code, the expected result and the actual result are not just for fun. Please fill them with the appropriate information: the code, the result you expect to get and the result you actually get. ------------------------------------------------------------------------ [2006-03-12 09:01:38] 5jpck6k02 at sneakemail dot com Description: ------------ A simple regular expression that has worked for years in PHP 4 suddenly fails under PHP 5. Reproduce code: --------------- foreach($_GET as $val) { if ( preg_match("/[^a-z0-9_\-\+]/i", $val) ) { die("<p>Invalid request.</p>"); } } Expected result: ---------------- The above code is used to filter out bogus GET requests containing potential XSS attacks at the top of a script. It should allow all legitimate requests comprised of alphanumeric characters, underscores, and plus and minus signs, through, while kicking anything containing a character not included in the character class out, Actual result: -------------- The regex matches plus signs contained in query strings even though the plus sign is explicitly included in the negated character class. I believe it is being interpreted as a quantifier when it is meant to be taken literally, I have not been able to find any means of successfully including a literal plus sign in a character class under PHP 5 to date. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=36703&edit=1