Sanitizing user input to preg_replace / preg_replace_callback
Posted on 2008-10-27
preg_replace with /e modifier and preg_replace_callback with a callback from create_function input allow function calls well outside of what one would expect to be allowed for string replacement functions, such as unlink() system() etc. Is there any good way of sanitizing this replacement pattern user input (disallowing non-string functions for example)?
I suspect the answer is no but I thought I would ask.