Do not use /e in preg_replace() - use preg_replace_callback() instead

Last updated on
20 September 2016

Security advisories such as SA-CONTRIB-2010-027 and SA-CONTRIB-2010-030 have pointed out the risk of passing user input through regular expressions that use the /e flag which causes matches to be evaluated as PHP code.

Mistakes in escaping strings can lead to arbitrary code execution vulnerabilities - this will likely lead to total compromise of your Drupal site.

For this reason, the /e flag should be avoided as insecure. It is generally possible to instead use preg_replace_callback() to transform the matches and generate a replacement string while avoiding the risk that user input may be executed as PHP.