Can someone explain the /e regex modifier? [duplicate]

by

The e Regex Modifier in PHP with example vulnerability & alternatives

What e does, with an example…

The e modifier is a deprecated regex modifier which allows you to use PHP code within your regular expression. This means that whatever you parse in will be evaluated as a part of your program.

For example, we can use something like this:

$input = "Bet you want a BMW.";
echo preg_replace("/([a-z]*)/e", "strtoupper('\\1')", $input);

This will output BET YOU WANT A BMW.

Without the e modifier, we get this very different output:

strtoupper('')Bstrtoupper('et')strtoupper('') strtoupper('you')strtoupper('') strtoupper('want')strtoupper('') strtoupper('a')strtoupper('') strtoupper('')Bstrtoupper('')Mstrtoupper('')Wstrtoupper('').strtoupper('')

Potential security issues with e

The e modifier is deprecated for security reasons. Here’s an example of an issue you can run into very easily with e:

$password = 'secret';
...
$input = $_GET['input'];
echo preg_replace('|^(.*)$|e', '"\1"', $input);

If I submit my input as "$password", the output to this function will be secret. It’s very easy, therefore, for me to access session variables, all variables being used on the back-end and even take deeper levels of control over your application (eval('cat /etc/passwd');?) through this simple piece of poorly written code.

Like the similarly deprecated mysql libraries, this doesn’t mean that you cannot write code which is not subject to vulnerability using e, just that it’s more difficult to do so.

What you should use instead…

You should use preg_replace_callback in nearly all places you would consider using the e modifier. The code is definitely not as brief in this case but don’t let that fool you — it’s twice as fast:

$input = "Bet you want a BMW.";
echo preg_replace_callback(
    "/([a-z]*)/",
    function($matches){
        foreach($matches as $match){
            return strtoupper($match);
        }
    }, 
    $input
);

On performance, there’s no reason to use e

Unlike the mysql libraries (which were also deprecated for security purposes), e is not quicker than its alternatives for most operations. For the example given, it’s twice as slow: preg_replace_callback (0.14 sec for 50,000 operations) vs e modifier (0.32 sec for 50,000 operations)

More Related Contents:

  1. regular expression [closed]
  2. How to get “v.3.1.2” in string by regex php [duplicate]
  3. Regex to validate range of numbers from 50 to 1000 with step of 50 [closed]
  4. Replace preg_replace() e modifier with preg_replace_callback
  5. Is there a PHP function that can escape regex patterns before they are applied?
  6. Remove new lines from string and replace with one empty space
  7. How to make dot match newline characters using regular expressions
  8. Remove control characters from PHP string
  9. How do I make this preg_match case insensitive?
  10. Matching a space in regex
  11. Regex for names
  12. Strip all HTML tags, except allowed
  13. Extract URL from string
  14. How to split a long string without breaking words?
  15. How to capitalize first letter of first word in a sentence?
  16. How do I extract query parameters from a URL string in PHP?
  17. How to Regex-replace multiple tags with one tag?
  18. regex matching links without tag
  19. Split string into sentences using regex
  20. How to search in an array with preg_match?
  21. Regex & PHP – isolate src attribute from img tag
  22. php regex word boundary matching in utf-8
  23. Replace tabs and spaces with a single space as well as carriage returns and newlines with a single newline
  24. How to validate a domain name using Regex & PHP?
  25. How to properly escape a backslash to match a literal backslash in single-quoted and double-quoted PHP regex patterns
  26. Regex matching table rows in HTML [duplicate]
  27. PHP – detect whitespace between strings
  28. What is the MM/DD/YYYY regular expression and how do I use it in php?
  29. Finding @mentions in string
  30. PHP: Escape RegEx pattern to prevent being applied?

Leave a Comment