Deprecate mb_ereg_replace eval option
- Currently implemented
- Target version: 7.1
- Approved at 100%
PHP RFC: Deprecate mb_ereg_replace eval option
- Version: 1.0
- Date: 2016-01-04
- Author: Rouven Weßling, firstname.lastname@example.org
- Status: Implemented (PHP 7.1)
- First Published at: https://wiki.php.net/rfc/deprecate_mb_ereg_replace_eval_option
e option evaluates arbitrary PHP code it can easily be exploited if user input is not carefully validated or sanitized.
Didn't we already do that?
No. Around 4 years ago a RFC was passed to deprecate a similar options in
preg_replace. This was executed in PHP 5.5 (deprecation) respectively PHP 7 (removal). That a similar option is present in
mb_ereg_replace was apparently overlooked.
Emit an E_DEPRECATED error whenever
mb_eregi_replace is called with the
Backward Incompatible Changes
Once the feature is actually removed, any code relying on it will break. Whether silently or with an error will be left to decide in the removal RFC.
The suggested replacement,
mb_ereg_replace_callback is has only been available since PHP 5.4.1. Projects which support both PHP 5.3 and PHP 7.1 may need two code paths to avoid deprecation warnings.
There is no
mb_eregi_replace_callback function. Code using it will have to be converted to use
mb_ereg_replace_callback with the
The removal of this feature is not part of this RFC. This should be done, when a release, where this is possible, is actually on the agenda.
Patches and Tests
A patch is available: <https://github.com/php/php-src/pull/1994> (merged).
An option needs 50%+1 votes to win