### Injection on preg_replace php ? Do you know php preg_replace ? its like replace string on php, so like what u find on some string "azfar" and replace with "jaka" on string "azfar_here", the function will find the string you what find and will replace on the string you have. you can see about preg_replace on php documentation. https://www.php.net/manual/en/function.preg-replace.php And why preg_replace can injection on php ? every function and some processing on programming can be attack if dont have sanitize, like this code. ``` <?php $string = "azfar_here"; $find = "far"; $replace = "aaaa"; $final = preg_replace($find, $replace, $string); echo "replaced: " . $final; ?> ``` preg_replace will processing replacement the delimeter on function, have you ever think if people use the find with /aaa/ this will escape the function, and input some fuction like phpinfo() or some execution on system ?, let me change to you ``` <?php $string = "azfar_here"; $find = '/far/'; $replace = phpinfo(); $final = preg_replace($find, $replace, $string); echo "replaced: " . $final; ?> ```  yap, you can see if the escape with /aaa/ the function will close and go execute the next command what i use. and u will say, that just on local :no_good: let me show on the rill website, oke thats website its normal with 3 input. text, find, and what replace. let me use the payload me show to you.  i can injection this web for get phpinfo, thats mean i can processing my payload for execute some function, so can i trigger system command :eyes: :no_good:, so let we chaining from preg_replace to command injection, :rocket: reverse shell.  ### prevent injection its like normaly prevent, everything u have some fitur use input, dont forget, sanitize your input because ***"hackers will try anything from your input"***