3v4l.org

run code in 300+ PHP versions simultaneously
<?php // That works on PHP versions earlier than 5.4.7. $replace_pattern = "a@e\0"; // Inject null byte here. $replace = 'print "Hacked!"'; // Any valid PHP Code. $transliterated = 'a'; $transliterated = preg_replace('@' . $replace_pattern . '@', $replace, $transliterated);
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/YvY2J
function name:  (null)
number of ops:  12
compiled vars:  !0 = $replace_pattern, !1 = $replace, !2 = $transliterated
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    3     0  E >   ASSIGN                                                   !0, 'a%40e%00'
    4     1        ASSIGN                                                   !1, 'print+%22Hacked%21%22'
    5     2        ASSIGN                                                   !2, 'a'
    7     3        INIT_FCALL                                               'preg_replace'
          4        CONCAT                                           ~6      '%40', !0
          5        CONCAT                                           ~7      ~6, '%40'
          6        SEND_VAL                                                 ~7
          7        SEND_VAR                                                 !1
          8        SEND_VAR                                                 !2
          9        DO_ICALL                                         $8      
         10        ASSIGN                                                   !2, $8
         11      > RETURN                                                   1

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
147.19 ms | 1009 KiB | 14 Q