{
    "slug": "php_preg_e_modifier",
    "term": "preg_replace /e Modifier (Removed)",
    "category": "security",
    "difficulty": "advanced",
    "short": "The /e modifier in preg_replace() evaluated the replacement as PHP code — removed in PHP 7.0. Any legacy code using it is a critical RCE vulnerability.",
    "long": "preg_replace($pattern . 'e', $replacement, $subject) evaluated $replacement as PHP code after substitution. This allowed: preg_replace('/.*/e', $_GET['cmd'], '') — direct remote code execution from user input. Removed in PHP 7.0 (was deprecated in PHP 5.5). The replacement is preg_replace_callback() with an explicit closure. Any legacy codebase running on PHP 5 with user input touching preg_replace with the /e flag has a critical RCE. Check all preg_replace calls for the 'e' flag in regex patterns.",
    "aliases": [],
    "tags": [
        "php",
        "security",
        "rce",
        "preg-replace",
        "legacy"
    ],
    "misconception": "The /e modifier only evaluates simple expressions — it evaluates full PHP code including system(), exec(), and arbitrary function calls.",
    "why_it_matters": "preg_replace /e with user-controlled input or replacement is a direct remote code execution vulnerability — one of the most critical PHP security issues in legacy code.",
    "common_mistakes": [
        "Any use of preg_replace with /e flag from user input.",
        "Not auditing all preg_replace calls in legacy codebases.",
        "Using variable patterns: preg_replace($userPattern . 'e', ...)."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "eval_injection",
        "php_eol_schedule",
        "command_injection",
        "ssti"
    ],
    "prerequisites": [
        "eval_injection"
    ],
    "refs": [
        "https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php"
    ],
    "bad_code": "// PHP 5 — critical RCE:\npreg_replace('/' . $_GET['pattern'] . '/e',\n             $_GET['replacement'],\n             $subject);\n// Attacker: ?pattern=.*&replacement=system('cat /etc/passwd')",
    "good_code": "// PHP 7+ — use preg_replace_callback:\n$result = preg_replace_callback(\n    '/([a-z]+)/',\n    function(array $matches): string {\n        return strtoupper($matches[1]);\n    },\n    $subject\n);\n// Never pass user input as the callback",
    "quick_fix": "Replace all preg_replace with /e flag with preg_replace_callback. Upgrade to PHP 7+. Audit ALL preg_replace calls in legacy code for /e flag.",
    "severity": "critical",
    "effort": "medium",
    "created": "2026-03-22",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/php_preg_e_modifier",
        "html_url": "https://codeclaritylab.com/glossary/php_preg_e_modifier",
        "json_url": "https://codeclaritylab.com/glossary/php_preg_e_modifier.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[preg_replace /e Modifier (Removed)](https://codeclaritylab.com/glossary/php_preg_e_modifier) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/php_preg_e_modifier"
            }
        }
    }
}