FALSE POSITIVE: Metabox

[buildapps2016]

Hi,

Below is probably a false positive. Kindly please check it.

FILE: /home/r/u/ftp_-com/wp-content/themes/-/metaboxes/MetaBox.php

FOUND 1 ERROR AND 1 WARNING AFFECTING 2 LINES

448 | WARNING | Use of deprecated PHP4 style class constructor is not supported since PHP 7. 540 | ERROR | preg_replace() - /e modifier is deprecated since PHP 5.5 and removed since PHP 7.0

Below is the Line 540 on MetaBox.php, /e modifier didn't use in the code below.

$value = maybe_unserialize( preg_replace( '!s:(\d+):"(.*?)";!es', "'s:'.strlen('$2').':"$2";'", stripslashes( $meta['value'] ) ) );

Best Regards, Samuel Chin http://www.buildapps.com.my/

[jrfnl]

Hi Samuel,

This is not a false positive. The regex in the preg_replace() is: '!s:(\d+):"(.*?)";!es',. The ! is used as the regex delimiter, which means that s:(\d+):"(.*?)"; is the effective regex with es as modifiers, i.e. e is one of the modifiers used and the error is legitimate.

[buildapps2016]

Thank you for your reply.

I replaced the statement to:

 if (version_compare(PHP_VERSION, '7.0.0') >= 0) {
     $value = preg_replace_callback('!s:(\d+):"(.*?)";!s', function($matches) {
          return 's:'.strlen($matches[2]).':"'.$matches[2].'";';
      }, stripslashes($meta['value']));
      $value = maybe_unserialize($value);
  }else{
       $value = maybe_unserialize( preg_replace( '!s:(\d+):"(.*?)";!es', "'s:'.strlen('$2').':\"$2\";'", stripslashes( $meta['value'] ) ) );
}

but it still detect as error.

In this case, just ignore the result and my script will run in php 7.0, right?

[jrfnl]

The preg_replace_callback() function has existed since PHP 4, so why not use it unconditionally and remove the else part altogether ? If you still want to be compatible with PHP 5.2, you would need to change the closure you use in it to a full function, but if you've dropped PHP 5.2 support already, using the closure should be fine.