ID: 36703
Updated by: tony2001@php.net
Reported By: 5jpck6k02 at sneakemail dot com
-Status: Open
+Status: Feedback
Bug Type: PCRE related
Operating System: Linux
PHP Version: 5.1.2
New Comment:

Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


3 fields in the form: the reproduce code, the expected result and the
actual result are not just for fun.
Please fill them with the appropriate information: the code, the result
you expect to get and the result you actually get.


Previous Comments:
------------------------------------------------------------------------

[2006-03-12 09:01:38] 5jpck6k02 at sneakemail dot com

Description:
------------
A simple regular expression that has worked for years in PHP 4
suddenly fails under PHP 5.

Reproduce code:
---------------
foreach($_GET as $val)
{
if ( preg_match("/[^a-z0-9_\-\+]/i", $val) )
{
die("<p>Invalid request.</p>");
}
}

Expected result:
----------------
The above code is used to filter out bogus GET requests
containing potential XSS attacks at the top of a script. It
should allow all legitimate requests comprised of alphanumeric
characters, underscores, and plus and minus signs, through,
while kicking anything containing a character not included in
the character class out,

Actual result:
--------------
The regex matches plus signs contained in query strings even
though the plus sign is ********ly included in the negated
character class. I believe it is being interpreted as a
quantifier when it is meant to be taken literally, I have not
been able to find any means of successfully including a
literal plus sign in a character class under PHP 5 to date.


------------------------------------------------------------------------


--
Edit this bug report at http://bugs.php.net/?id=36703&edit=1