with initial implementation from Rouven Wessling

with initial implementation from Rouven Wessling

Contents

PHP RFC: Deprecate mb_ereg_replace eval option

Introduction

This RFC aims at deprecating the e option that mb_ereg_replace and mb_eregi_replace provide.

Problems

The e option evaluates arbitrary PHP code it can easily be exploited if user input is not carefully validated or sanitized.

Didn't we already do that?

No. Around 4 years ago a RFC was passed to deprecate a similar options in preg_replace. This was executed in PHP 5.5 (deprecation) respectively PHP 7 (removal). That a similar option is present in mb_ereg_replace was apparently overlooked.

Proposal

Emit an E_DEPRECATED error whenever mb_ereg_replace or mb_eregi_replace is called with the e option.

Backward Incompatible Changes

Once the feature is actually removed, any code relying on it will break. Whether silently or with an error will be left to decide in the removal RFC.

The suggested replacement, mb_ereg_replace_callback is has only been available since PHP 5.4.1. Projects which support both PHP 5.3 and PHP 7.1 may need two code paths to avoid deprecation warnings.

There is no mb_eregi_replace_callback function. Code using it will have to be converted to use mb_ereg_replace_callback with the i option.

Future Scope

The removal of this feature is not part of this RFC. This should be done, when a release, where this is possible, is actually on the agenda.

Patches and Tests

A patch is available: <https://github.com/php/php-src/pull/1994> (merged).

References

Votes

An option needs 50%+1 votes to win

Deprecate mb_ereg_replace eval option (100% approved)
User Vote
aharvey Yes
ajf Yes
bishop Yes
colinodell Yes
danack Yes
fa Yes
gasolwu Yes
guilhermeblanco Yes
jhdxr Yes
leigh Yes
levim Yes
mightyuhu Yes
nikic Yes
ocramius Yes
pmjones Yes
ryat Yes
sammyk Yes
stas Yes
tpunt Yes