add preg_quote_replacement() function

[tomasfejfar]

Description

$pattern = '/[[name]]/';
$template = 'My name is [[name]]';
preg_replace($pattern, $_POST['name'], $template);

This is prone to injection of any match from the pattern if user supplies for example Tomas$1Fejfar. There is a preg_quote function that can be used to escape special chars in template. There should be same function that would escape the replacement.

preg_quote_replacement($_POST['name']); // Tomas\$1Fejfar

IMHO it is enough to escape backslash and dollars with backslash, but I am not sure.

Currently the replacement must be escaped using userland function that makes it prone to mistakes.

[damianwadley]

Isn't this the sort of situation that preg_replace_callback is suited for? You can use it to return the exact string you want without any processing:

preg_replace_callback($pattern, fn() => $_POST['name'], $template)

It's the same problem as with SQL injection: don't provide the user any way to give anything that could be interpreted as processing directions, and instead separate the instructions from the data (using prepared statements). Here, the instructions are "replace [[name]] with a string" and the data is the value from $_POST to be replaced in.

[tomasfejfar]

You are correct, but it's not obvious that you should not use preg_replace this way. I certainly didn't think about it and I instead spent time implementing replacement quote function userland.

[tomasfejfar]

The docs for preg_quote even tell you you shouldn't use preg_quote to quote replacement, but it stays silent what you should do instead.