I have concerns about the safe use of the function str_replace()
.
E.G.
$var = "abcdeefghij";
$var = str_replace("ee", "", $var); // Should be "abcdfghij"
Is it possible to bypass (get "abcdeefghij" - with 2 'e' letters) this by multibyte charset or null character for example?
EDIT:
I was thinking about something like this: abcd%6565fghij %6565
would be replaced by ee
, but str_replace()
wouldn't work because it is multibyte string (mb_str_replace()
).
Indeed, if ee
does not occur in the string in exactly that way, which means in a compatible encoding and without additional invisible characters, it won't match. As far as compatible encodings go, ee
in your source code is likely ASCII, so any ASCII compatible encoding will do (incl. Latin-1, UTF-8 and most single-byte encodings). If there are other characters/bytes in-between, it's obviously not the same string and won't match. Other lookalike characters obviously won't match either.