====== PHP RFC: Deprecate mb_ereg_replace eval option ====== * Version: 1.0 * Date: 2016-01-04 * Author: Rouven Weßling, me@rouvenwessling.de * Status: Implemented (PHP 7.1) * First Published at: https://wiki.php.net/rfc/deprecate_mb_ereg_replace_eval_option ===== Introduction ===== This RFC aims at **deprecating** the ''e'' option that ''[[http://php.net/mb_ereg_replace|mb_ereg_replace]]'' and ''[[http://php.net/mb_eregi_replace|mb_eregi_replace]]'' provide. ===== Problems ==== The ''e'' option evaluates arbitrary PHP code it can easily be exploited if user input is not carefully validated or sanitized. ===== Didn't we already do that? ===== No. Around 4 years ago a [[https://wiki.php.net/rfc/remove_preg_replace_eval_modifier|RFC]] was passed to deprecate a similar options in ''preg_replace''. This was executed in PHP 5.5 (deprecation) respectively PHP 7 (removal). That a similar option is present in ''mb_ereg_replace'' was apparently overlooked. ===== Proposal ===== Emit an E_DEPRECATED error whenever ''mb_ereg_replace'' or ''mb_eregi_replace'' is called with the ''e'' option. ===== Backward Incompatible Changes ===== Once the feature is actually removed, any code relying on it will break. Whether silently or with an error will be left to decide in the removal RFC. The suggested replacement, ''mb_ereg_replace_callback'' is has only been available since PHP 5.4.1. Projects which support both PHP 5.3 and PHP 7.1 may need two code paths to avoid deprecation warnings. There is no ''mb_eregi_replace_callback'' function. Code using it will have to be converted to use ''mb_ereg_replace_callback'' with the ''i'' option. ===== Future Scope ===== The removal of this feature is not part of this RFC. This should be done, when a release, where this is possible, is actually on the agenda. ===== Proposed Voting Choices ===== Should an E_DEPRECATED error be emitted whenever mb_ereg_replace or mb_eregi_replace is called with the e option? This vote will require a 50%+1 majority. Voting opened on January 28th 2016, to close on February 4th. * Yes * No ===== Patches and Tests ===== A patch is available: (merged). ===== References ===== [[rfc:remove_preg_replace_eval_modifier| RFC: Remove preg_replace /e modifier]]