CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

preg_replace /e Modifier (Removed)

security PHP 3.0+ Advanced

TL;DR

The /e modifier in preg_replace() evaluated the replacement as PHP code — removed in PHP 7.0. Any legacy code using it is a critical RCE vulnerability.

Explanation

preg_replace($pattern . 'e', $replacement, $subject) evaluated $replacement as PHP code after substitution. This allowed: preg_replace('/.*/e', $_GET['cmd'], '') — direct remote code execution from user input. Removed in PHP 7.0 (was deprecated in PHP 5.5). The replacement is preg_replace_callback() with an explicit closure. Any legacy codebase running on PHP 5 with user input touching preg_replace with the /e flag has a critical RCE. Check all preg_replace calls for the 'e' flag in regex patterns.

Common Misconception

The /e modifier only evaluates simple expressions — it evaluates full PHP code including system(), exec(), and arbitrary function calls.

Why It Matters

preg_replace /e with user-controlled input or replacement is a direct remote code execution vulnerability — one of the most critical PHP security issues in legacy code.

Common Mistakes

  • Any use of preg_replace with /e flag from user input.
  • Not auditing all preg_replace calls in legacy codebases.
  • Using variable patterns: preg_replace($userPattern . 'e', ...).

Code Examples

✗ Vulnerable 
// PHP 5 — critical RCE:
preg_replace('/' . $_GET['pattern'] . '/e',
             $_GET['replacement'],
             $subject);
// Attacker: ?pattern=.*&replacement=system('cat /etc/passwd')
✓ Fixed 
// PHP 7+ — use preg_replace_callback:
$result = preg_replace_callback(
    '/([a-z]+)/',
    function(array $matches): string {
        return strtoupper($matches[1]);
    },
    $subject
);
// Never pass user input as the callback
Added 22 Mar 2026
Views 133

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 9 pings T 10 pings F 7 pings S 9 pings S 10 pings M 6 pings T 7 pings W 1 ping T
Agents 1
ChatGPT 1
ChatGPT 6
ChatGPT 109 Google 6 Amazonbot 6 Unknown AI 3 Perplexity 3 Meta AI 1 SEMrush 1 Ahrefs 1
Also referenced
PHP End-of-Life Schedule & Security Implications 54 Eval Injection 29 Command Injection 26 Server-Side Template Injection (SSTI) 15
How they use it
crawler 126 crawler_json 2 pre-tracking 2
Related categories
php 6.3k security 4k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Medium
⚡ Quick Fix
Replace all preg_replace with /e flag with preg_replace_callback. Upgrade to PHP 7+. Audit ALL preg_replace calls in legacy code for /e flag.
📦 Applies To
PHP 3.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
preg_replace.*['"].*e['"]
Auto-detectable: ✓ Yes semgrep phpstan
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Medium Context: Function Tests: Update
CWE-94 CWE-74 CWE-95
✓ schema.org compliant