B.10. preg_replace( )The preg_replace( ) function is useful for making string replacements that match a pattern. It can be extremely dangerous when tainted data is used to construct the pattern, however, because the e modifier makes it treat the replacement parameter as PHP code after the substitution. When used with the e modifier, regardless of whether it is intentional, it carries the same risk as eval( ). This function is a good candidate for inspection during a security audit or peer review. |