I am working with a PHP script that finds var $_plgCode = #{comment(.?) contentid=(.?)

Question

0

Asked: May 23, 20262026-05-23T17:20:49+00:00 2026-05-23T17:20:49+00:00

I am working with a PHP script that finds var $_plgCode = #{comment(.?) contentid=(.?)

0

I am working with a PHP script that finds

var $_plgCode       = "#{comment(.*?) contentid=(.*?) option=(.*?) contenttitle=(.*?)}#i";

and then later uses this in:

preg_match_all($this->_plgCode, $_body, $matches);

and

$_body = preg_replace($this->_plgCode, $output, $_body);

The problem is that contenttitle can contain user input and hasn’t been hardened at all – so lots of things will break it, like if a user enters }, for example.

What kind of escaping of user input needs to be done on the contenttitle to ensure it doesn’t break the REGEX?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-23T17:20:50+00:00

Editorial Team

2026-05-23T17:20:50+00:00Added an answer on May 23, 2026 at 5:20 pm

Use preg_quote

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am working with a PHP script that finds var $_plgCode = #{comment(.*?) contentid=(.*?)

Leave an answerCancel reply

1 Answer

I am working with a PHP script that finds var $_plgCode = #{comment(.?) contentid=(.?)

Leave an answer
Cancel reply