Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:128753 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 027BA1A00C2 for ; Wed, 1 Oct 2025 11:05:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1759316654; bh=Gk6gxbk6WPRV2T2vrpPsieZ2riyzB55FiJbkcpvjw04=; h=From:Subject:Date:References:To:In-Reply-To:From; b=akzra+6R87sEg8ddqdn6crZuZDdnJQgXCpNgkMrQXv3M6RMgaBuQwvHMgxWGhWxoR uGLdDmNzOuRom9K8FaQf5szp71TJFT6nnxMwHzRPEAp0wQmZl3nHhcSuP89nODYcyQ nxHvF9mNdBmItBSg2I7jeFxq8rxBoTy/b5hjIt0kxvtiBRlOp+BesC/+UYWW2Bv8ya J9SIACM85o6Y8iYXr4swJQl/WTExTZmIs7+yrb90IFkR3j/lgYpeNY6+AHI1SaLeNE 5tV6hAkMVj6AzOw7rdw9eBHSdTAc47GhJk7LodeSRahiSzdC7p3CzqzWbbCBPu/GzG DsNuinyZiQJwA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id C176E18038E for ; Wed, 1 Oct 2025 11:04:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail.gna.ch (darkcity.gna.ch [84.234.28.114]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 1 Oct 2025 11:04:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.gna.ch (Postfix) with ESMTP id 2E6F2238118E for ; Wed, 1 Oct 2025 13:05:25 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=cschneid.com; s=default; t=1759316725; bh=Gk6gxbk6WPRV2T2vrpPsieZ2riyzB55FiJbkcpvjw04=; h=From:Subject:Date:References:To:In-Reply-To; b=Ecjm9XuFrpy3Uf8cJTCQKZkiyKl75GkWJfRpkQrVhJzRVBFko7YquXTBPSyGZ0ejR mAzY5xbXVa+4D0d6FDwZkEckmecEzvQ/b0NutP65LIt5lyoJYeeEF9Ph0QTW1PEjZ/ DGtdRllCBdRw070vyY+sAJoU06xVZZCWU/2Vm3sU= X-Virus-Scanned: amavisd-new at gna.ch Received: from mail.gna.ch ([127.0.0.1]) by localhost (mail.gna.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pm4LGmigU-X9 for ; Wed, 1 Oct 2025 13:05:23 +0200 (CEST) Received: from smtpclient.apple (unknown [194.169.219.181]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.gna.ch (Postfix) with ESMTPSA id F3EDB2381182 for ; Wed, 1 Oct 2025 13:05:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=cschneid.com; s=default; t=1759316723; bh=Gk6gxbk6WPRV2T2vrpPsieZ2riyzB55FiJbkcpvjw04=; h=From:Subject:Date:References:To:In-Reply-To; b=H8zudDPpMHcsJZCRpK/wMNbQm2Wt5cruPwlHghqORO1t3bvh4svmpjs6DUtfUHWcc W7qHZzRq6tRkngBNkeXPwk2ak2KfgcXLEb73OHi8LiLpX+SJIv+kvnsFz9//jRFI1m FgsPY9xxGOEDk/xHnVCrOF//Yji9U/UfrgBu01fo= Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Precedence: list list-help: list-post: List-Id: x-ms-reactions: disallow Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.100.1.1.5\)) Subject: Re: [PHP-DEV] [DISCUSSION] Validating regex pattern Date: Wed, 1 Oct 2025 13:05:22 +0200 References: To: PHP internals list In-Reply-To: Message-ID: X-Mailer: Apple Mail (2.3864.100.1.1.5) From: cschneid@cschneid.com (Christian Schneider) Am 01.10.2025 um 11:01 schrieb Alexandre Daubois = : > There is currently no way of knowing if a regex pattern is valid, = apart from writing clunky code. [2] >=20 > Two propositions emerged from the issue: either create a dedicated = "preg_validate()" function, or add a new flag to "filter_var()", namely = FILTER_VALIDATE_REGEX_PATTERN. My concern would be that dynamically creating regex patterns has quite a = lot of possible different foot guns and using something like = preg_validate/filter_var to prevent warnings seems to not really solve = the problem but give a false sense of security. You can end up with a mostly working version which will only trigger the = fail path later on depending on user input. It boils down to: If you are not confident that you construct the = pattern in a safe way then what would you do if a validation function = returns false? You can notify the developer but that is already = accomplished with the preg_* warning when an invalid pattern is given. = Creating an error page for the user on a warning is also already = possible. That's why i'm on the fence whether a validation function does = more good or harm. Regards, - Chris