Regular Expressions

Removed /e modifier of preg_replace()

PHP developers frequently use regular expressions to match or replace patterns in strings – maybe even too frequently. Pattern matching using the built in preg_() functions lets you solve some common problems with a few lines of code, for example replacing of placeholders as part of a templating engine. However, this can quickly get dangerous when combined with code execution. Allowing parts of user input – or data which was read from a remote system – to be executed as PHP code is, by definition, a remote code execution, which is one of the most dangerous security issues that exists. That is the main reason, after all, why the use of the eval() function is usually discouraged.

Using the /e modifier when calling the function preg_replace(), PHP 5 (still) allowed you to write code that would execute a substring of the provided input string as PHP code. It has never been a good idea to do this, so we will not even show a code example. The /e modifier had been deprecated in PHP 5.5, and in due course, was removed from PHP 7. If you need some of its flexibility, consider using the function preg_replace_callback(), which allows you to define a callback, for example a closure, to be executed on a matching pattern.

Removed eval Option for mb_ereg_replace()

The so-called Perl Regular Expressions (functions prefixed with preg_()) are not the only way of evaluating regular expressions in PHP. In former times, there also was the ereg extension, which has been removed from PHP because it was not binary safe, meaning it would stop evaluating regular expressions on strings that contained a \0 character.

Another means of evaluating regular expressions is mb_ereg_replace(), which is part of the mbstring extension. It allows you to do pattern matching for strings with multi-byte encodings. Just like with the /e modifier to preg_replace(), there is also an eval option to mb_ereg_replace(). Just like with preg_replace(), this /e modifier to mb_ereg_replace() has been removed in PHP 7.1 to prevent security issues through remote code execution.

Removed split()

The split() function that splits a string into an array using a regular expression has been removed in PHP 7. Use preg_split() instead, or explode() if you do not need regular expressions as delimiters in the first place.