A Practical Guide to Regular Expressions (No PhD Required)

A regular expression is a pattern that describes a set of strings. When you write a regex, you are defining a rule: "match anything that looks like this". The engine then applies that rule to text and tells you what matched.

Regex is not a programming language. It does not have variables, loops, or conditionals in the traditional sense. It is a pattern syntax — a compact notation for describing what strings to match, where to find them, and what to extract.

This distinction matters because it sets the right mental model. You are not writing code that does something — you are describing a shape, and the engine finds things that fit the shape.

Most practical regex work uses a small core of features. Learn these first and you will handle the vast majority of real tasks.

Literal characters: The simplest regex is just text. The pattern hello matches the string "hello" anywhere it appears. No magic.

Character classes [...]: Square brackets match any one character from a set. [aeiou] matches any vowel. [0-9] matches any digit. [a-zA-Z] matches any letter. The caret inside a class negates it: [^0-9] means "anything that is not a digit".

Shorthand classes: \d is short for [0-9]. \w matches word characters (letters, digits, underscore). \s matches whitespace. Their uppercase versions are the negations: \D means "not a digit".

Quantifiers: * means "zero or more". + means "one or more". ? means "zero or one (optional)". {3} means "exactly 3". {2,5} means "between 2 and 5".

Anchors: ^ matches the start of a string (or line in multiline mode). $ matches the end. Use these for validation patterns where you want to match the entire string, not just find something inside it.

Groups (...): Parentheses group parts of a pattern together. This is useful for applying quantifiers to multi-character sequences and for capturing substrings. (ab)+ matches "ab", "abab", "ababab", and so on.

Alternation |: The pipe character means "or". cat|dog matches either "cat" or "dog". Combine with groups for more control: (cat|dog)s? matches "cat", "cats", "dog", or "dogs".

Rather than memorising syntax, it is more useful to understand a few complete, real-world patterns and what makes them work.

Email validation (simplified): ^[\w.+-]+@[\w-]+\.[a-zA-Z]{2,}$

Breaking this down: ^ anchors to the start. [\w.+-]+ matches the local part (letters, digits, dots, plus, hyphen, one or more times). @ is a literal at-sign. [\w-]+ matches the domain name. \. is an escaped dot (a literal dot, not "any character"). [a-zA-Z]{2,} matches the TLD (at least 2 letters). $ anchors to the end.

UK postcode: ^[A-Z]{1,2}[0-9][0-9A-Z]?\s?[0-9][A-BD-HJLNP-UW-Z]{2}$

This looks intimidating, but each piece follows from the actual postcode rules. The character class [A-BD-HJLNP-UW-Z] encodes the specific letters allowed in the second half of a UK postcode — because not all letters are valid there.

ISO date (YYYY-MM-DD): ^\d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])$

The alternations handle the constraints: months must be 01–12 (hence 0[1-9]|1[0-2]), and days must be 01–31. Note that this validates the format, not calendar validity — it will accept 2024-02-31, which is not a real date.

Forgetting to escape the dot: In regex, . means "any character" (except newline by default). If you want a literal dot — as in a file extension or a domain name — you must escape it: \.. The pattern example.com will also match "exampleXcom", "example5com", and so on.

Greedy matching biting you: By default, quantifiers are greedy — they match as much as possible. The pattern <.+> applied to <b>hello</b> will match the entire string, not just the tags. Adding ? after the quantifier makes it lazy: <.+?> matches the shortest possible string instead.

Not anchoring validation patterns: If you validate an email with [\w.+-]+@[\w-]+\.[a-zA-Z]{2,} (no anchors), it will accept strings like "definitely not valid — but this@is.valid — along with garbage" because the pattern finds a match anywhere inside the string. Add ^ and $ when you want to validate the whole string.

Catastrophic backtracking: Some regex patterns applied to certain inputs can cause the engine to exponentially backtrack, making it appear to hang. This usually occurs with nested quantifiers like (a+)+. For user-facing validation, always test your patterns with adversarial input and consider adding a timeout.

Regex syntax is mostly consistent across languages, but there are important differences that catch developers out.

JavaScript: Regex literals use forward slashes: /pattern/flags. Backslashes in strings must be doubled: "\\d+" in a string equals \d+ in a regex literal. Lookbehinds ((?<=...)) are available in modern engines but not in older browsers.

Python: Use raw strings to avoid backslash headaches: r"\d+" instead of "\\d+". The re module uses re.compile() for reused patterns and re.match() (anchored to start) vs re.search() (finds anywhere).

Java: Requires double-escaping in string literals since backslash is Java's escape character: "\\d+" becomes the regex \d+. Java's String.matches() automatically anchors the pattern — behaviour that surprises developers coming from other languages.

When in doubt, test your pattern in a tool like regex101.com (which also explains your pattern step by step) before putting it into production code.