ID: 36703 Updated by: [EMAIL PROTECTED] Reported By: 5jpck6k02 at sneakemail dot com -Status: Open +Status: Feedback Bug Type: PCRE related Operating System: Linux PHP Version: 5.1.2 New Comment:
Not enough information was provided for us to be able to handle this bug. Please re-read the instructions at http://bugs.php.net/how-to-report.php If you can provide more information, feel free to add it to this bug and change the status back to "Open". Thank you for your interest in PHP. 3 fields in the form: the reproduce code, the expected result and the actual result are not just for fun. Please fill them with the appropriate information: the code, the result you expect to get and the result you actually get. Previous Comments: ------------------------------------------------------------------------ [2006-03-12 09:01:38] 5jpck6k02 at sneakemail dot com Description: ------------ A simple regular expression that has worked for years in PHP 4 suddenly fails under PHP 5. Reproduce code: --------------- foreach($_GET as $val) { if ( preg_match("/[^a-z0-9_\-\+]/i", $val) ) { die("<p>Invalid request.</p>"); } } Expected result: ---------------- The above code is used to filter out bogus GET requests containing potential XSS attacks at the top of a script. It should allow all legitimate requests comprised of alphanumeric characters, underscores, and plus and minus signs, through, while kicking anything containing a character not included in the character class out, Actual result: -------------- The regex matches plus signs contained in query strings even though the plus sign is explicitly included in the negated character class. I believe it is being interpreted as a quantifier when it is meant to be taken literally, I have not been able to find any means of successfully including a literal plus sign in a character class under PHP 5 to date. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=36703&edit=1
