What to do with preg replace in PHP?

U

UnRealName2015-07-30 12:33:01

PHP

UnRealName, 2015-07-30 12:33:01

There is a store on CMS Webasyst. Tested antivirus Virusdie , and received a notification that there is a vulnerability.

The line is suspicious:

$language_iso2 = preg_replace('/^([\w])/e',"strtoupper('\\1')",$language->iso2);

Whole snippet:

if(!$language_iso2){
      $language = LanguagesManager::getCurrentLanguage();
      /*@var $language Language*/
      if(in_array(strtolower($language->iso2),array('en','ru','nl','de','lv','es'))){
        $language_iso2 = preg_replace('/^([\w])/e',"strtoupper('\\1')",$language->iso2);
      }
    }

Please tell me how can I get rid of this so that the site does not break.
The file is located on the path:

/published/SC/html/scripts/modules/payment/class.chronopay.php

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

Mikhail Osher, 2015-07-30
@UnRealName

Flag "e" - is considered deprecated, they say there may be security problems.
Use preg_replace_callback.

$language_iso2 = preg_replace_callback(
    '/^([\w])/e',
    function($m) {
        return strtoupper($m[1]);
    },
    $language->iso2
);

// UPD
php.net/manual/ru/function.preg-replace.php
php.net/manual/ru/reference.pcre.pattern.modifiers...
The /e modifier is now deprecated. Use the preg_replace_callback() function. See the PREG_REPLACE_EVAL documentation for more information and security issues.