Open kkmuffme opened 1 year ago
@kkmuffme Thanks for opening this issue. That's a nasty one and you do have a point.
Since this is an extremely rare occurrence, most people don't know that this can possibly happen or aren't aware.
I'm not sure the overhead of always requiring addcslashes()
for all preg_replace()
calls containing a variable in the $replacement
parameter is the right solution for something which, by your own admission, will be pretty rare in practice.
I mean, when such a sniff would be used, the only way to "solve" the issue (aside from ignoring it) is to add the function call, even when it is not needed as you know the variable used in safe, which it will probably be in > 95% of all cases.
All in all, I'm not adverse to such a sniff, but I consider it low priority and up for grabs if someone wants to work on it.
Some notes for if/when someone would want to work on this:
$replacement
parameters containing a T_VARIABLE
token as one of the tokens in the parameter.preg_replace( $search, ...$otherParams)
.$replacement
parameter can either be a string or an array.
addcslashes()
to prevent potentially having to add the function call multiple times if multiple variables are being concatenated together, though the implementation details of addcslashes()
should be checked to be sure this is the right fix.So, yes, this sniff will be pretty complex to write.
Is your feature request related to a problem?
Simplistic example:
In practice anytime you use a variable as the replacement, if it contains
\
or$
followed by a number, preg replace will convert this to a back replacement group. Since this is an extremely rare occurence, most people don't know that this can possibly happen or aren't aware.Describe the solution you'd like
If a preg_replace call uses a variable as 2nd argument, the whole replacement arg or each variable in it must be wrapped in
addcslashes( $variable, '\\$' )
to fix this issue.Additional context (optional)
If this rule is something you think is better added in another phpcs ruleset, please let me know.