Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 3 down vote favorite
3

so the string is like this:

"bla bla bla {VARIABLE} bla bla"

when I use this string somewhere in a function I want to replace {VARIABLE} with $variable (or any other uppercase strings with wrapped within {} charcters). $variable (and any other variables) will be defined inside that function

Can i do this?

share|improve this question
Yes, but this looks like a very bad idea of a template engine. – halfdan Sep 21 '10 at 19:34
i wouldnt call it a templating engine. it's just for a small part of the site, but I want any other modules/plugins to have the ability to change the string before it gets displayed on the screen – Alex Sep 21 '10 at 19:38
try {GLOBALS} and you're ready to be hacked – stillstanding Sep 21 '10 at 19:59

7 Answers

up vote 10 down vote accepted 
$TEST = 'one';
$THING = 'two';
$str = "this is {TEST} a {THING} to test";

$result = preg_replace('/\{([A-Z]+)\}/e', "$$1", $str);
share|improve this answer
1  
As your solution does the trick, the /e modifier is regarded a security risk. It also exposes global variables. – bouke Sep 21 '10 at 19:44
I'm assuming that the input is trusted -- i.e., that the source string is coming from the original programmer and not provided dynamically from a site visitor. If that's the case, the risk is mitigated. And if it's running inside a function as stated, it won't expose any globals. – Alex Howansky Sep 21 '10 at 19:52
thanks. yes the string is not really dynamic. but it can be changed by other modules (scripts). these modules can have malicious code anyway, so it's not important to protect the string from them... – Alex Sep 21 '10 at 19:59
@bouke: You couldn't do anything malicious only using alphabetic characters. So it should be secure enough. – NikiC Sep 21 '10 at 20:44
@nikic, what about variables like $dbuser or $dbpass? They would be disposed. On the other hand, if the code is located in a function this would be no problem because of the function's scope. – bouke Sep 22 '10 at 9:15
up vote 11 down vote

Use a regular expression to find all substitutions, then iterate over the result and replace them. Be sure to only allow variables you would want to expose.

// white list of variables
$allowed_variables = array("test", "variable", "not_POST", "not_GET",); 

preg_match("#(\{([A-Z]+?)\}#", $text, $matches);

// not sure the result is in [1], do a var_dump
while($matches[1] as $variable) { 
    $variable = strtolower($variable);

    // only allow white listed variables
    if(!in_array($variable, $allowed_variables)) continue; 

    $text = str_replace("{".$match."}", $$match, $text);
}
share|improve this answer
7  
+1 for whitelisting the variables! – Bill Karwin Sep 21 '10 at 19:48
up vote 2 down vote

This will work....

$FOO = 'Salt';
$BAR = 'Peppa';
$string = '{FOO} and {BAR}';
echo preg_replace( '/\{([A-Z]+)\}/e', "$$1", $string );

but it just seems like an awful idea.

share|improve this answer
up vote 1 down vote

The following is another solution, but I agree with other folks who are dubious about whether this is a wise thing for you to do.

<?php

$string = "bla bla bla {VARIABLE} bla bla";
$VARIABLE = "foo";

function var_repl($matches)
{
  return $GLOBALS[$matches[1]];
}

echo preg_replace_callback("/{(\w+)}/", "var_repl", $string);
share|improve this answer
up vote 1 down vote

I am glad I have found Bill Criswell's solution, but is it also possible to replace such variables:

string tmp = "{myClass.myVar}";

Where the PHP code would be something like:

class myClass
{
    public static $myVar = "some value";
}
share|improve this answer
up vote 4 down vote

Building on some of the other answers (especially Bill Karwin's & bouke)...

 class CurlyVariables {

  private static $_matchable = array();
  private static $_caseInsensitive = true;

  private static function var_match($matches)
  {
    $match = $matches[1];

    if (self::$_caseInsensitive) {
      $match = strtolower($match);
    }

    if (isset(self::$_matchable[$match]) && !is_array(self::$_matchable[$match])) {
      return self::$_matchable[$match];
    }

    return '';
  }

  public static function Replace($needles, $haystack, $caseInsensitive = true) {
    if (is_array($needles)) {
      self::$_matchable = $needles;
    }

    if ($caseInsensitive) {
      self::$_caseInsensitive = true;
      self::$_matchable = array_change_key_case(self::$_matchable);
    }
    else {
      self::$_caseInsensitive = false;
    }

    $out = preg_replace_callback("/{(\w+)}/", array(__CLASS__, 'var_match'), $haystack);

    self::$_matchable = array();

    return $out;
  }
}

Example: 

echo CurlyVariables::Replace(array('this' => 'joe', 'that' => 'home'), '{This} goes {that}', true);
share|improve this answer
up vote 4 down vote

Using $$vars and $GLOBALS both represent security risks. The user should be able to explicitly define the list of tags that are acceptable.

Below is the simplest single-function general solution I could devise. I chose to use double-braces as tag delimiters, but you can modify it easily enough.

/**
 * replace_tags replaces tags in the source string with data from the vars map.
 * The tags are identified by being wrapped in '{{' and '}}' i.e. '{{tag}}'.
 * If a tag value is not present in the tags map, it is replaced with an empty
 * string
 * @param string $string A string containing 1 or more tags wrapped in '{{}}'
 * @param array $tags A map of key-value pairs used to replace tags
 * @param force_lower if true, converts matching tags in string via strtolower()
 *        before checking the tags map.
 * @return string The resulting string with all tags replaced.
 */
function replace_tags($string, $tags, $force_lower = false)
{
    return preg_replace_callback('/\\{\\{([^{}]+)\}\\}/',
            function($matches) use ($tags)
            {
                $key = $force_lower ? strtolower($matches[1]) : $matches[1];
                return array_key_exists($key, $tags) 
                    ? $tags[$key] 
                    : '';
            }
            , $string);
}

[edit] Added force_lower param

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.