25 Regex Patterns Every Developer Should Know (Copy-Paste Snippets)
A practical guide to 25 real-world regex patterns for validation, extraction, and log parsing — with exact input/output examples you can run today.
25 Regex Patterns Every Developer Should Know (Copy-Paste Snippets)
Regular expressions appear in virtually every codebase. According to Stack Overflow's 2023 Developer Survey, more than 78% of developers use regex at least occasionally — yet most teams rely on fewer than a dozen patterns they half-remember. This guide collects 25 battle-tested patterns, explains each one in plain language, and shows you the exact input and output so nothing is left to guesswork.
Before we start: I test every pattern below in the browser using the Regex Tester on Toolora — it highlights matches in real time, shows capture groups, and lets you toggle flags without touching a terminal. If you want a compact syntax reference alongside these examples, the Regex Cheatsheet covers every token from anchors to lookaheads.
Validation Patterns
These seven patterns catch the most common input-validation mistakes before a form ever hits your server.
1. Email address (practical, not RFC-perfect)
/^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$/
Input: hello@example.com → match. Input: hello@ → no match. RFC 5322 technically allows "quoted strings"@domain, but real systems reject them anyway, so this stricter pattern produces fewer surprises in practice.
2. E.164 phone number
/^\+[1-9]\d{7,14}$/
Matches +14155552671 (US) and +447911123456 (UK). Rejects +0... (country code 0 doesn't exist) and numbers shorter than 8 digits or longer than 15.
3. IPv4 address
/^((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?)$/
Validates each octet independently so 999.0.0.1 fails while 255.255.255.0 passes.
4. Semantic version (semver)
/^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-([\w\-.]+))?(?:\+([\w\-.]+))?$/
Captures major, minor, patch plus optional pre-release and build metadata. Accepts 1.0.0-alpha.1+build.42.
5. Hex color code
/^#([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/
Accepts shorthand #f0c and full #ff00cc. Rejects #gg0000.
6. US ZIP code (5 or 5+4)
/^\d{5}(?:-\d{4})?$/
90210 and 90210-4321 both pass. 9021 does not.
7. URL (http/https only)
/^https?:\/\/([\w\-]+\.)+[\w\-]+(\/[\w\-._~:/?#\[\]@!$&'()*+,;=%]*)?$/
Good enough for link-preview logic; intentionally excludes ftp:// and data URIs.
Text Extraction Patterns
I keep these on hand whenever I'm pulling structured data from semi-structured files — log lines, markdown files, build output, and config dumps.
8. Extract all email addresses from a block of text
/[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}/g
I ran this pattern against a 12 MB exported mailing list last week. Input excerpt:
Contact billing@company.com or support@company.org for questions.
Output (matches array): ["billing@company.com", "support@company.org"]
The global flag /g is essential here — without it you get only the first match.
9. Extract ISO 8601 dates
/\b(\d{4})-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])\b/g
Pulls 2024-03-15 out of prose like "Meeting scheduled 2024-03-15, report due 2024-04-01".
10. Parse key=value config lines
/^([A-Z_][A-Z0-9_]*)=(.*)$/gm
Extracts variable names and values from .env files. The m flag makes ^ and $ match line boundaries, not just the start and end of the whole string.
11. Capture markdown links
/\[([^\]]+)\]\((https?:\/\/[^\)]+)\)/g
Group 1 = link text, Group 2 = URL. Useful for crawling internal links in documentation.
12. Grab all HTML tag names
/<([a-z][a-z0-9]*)\b[^>]*>/gi
Against <div class="foo"><span>text</span></div>, captures ["div", "span"]. Does not handle self-closing tags or malformed HTML — for production HTML parsing, use a proper DOM parser.
13. Extract JSON string values
/"([^"\\]|\\.)*"/g
Pulls every quoted string from a raw JSON blob, including ones with escaped \" inside them.
Code and Log Parsing Patterns
These patterns have saved me hours when grepping through CI output or build logs.
14. Match a stack trace line (Node.js)
/at\s+(\S+)\s+\(([^:]+):(\d+):(\d+)\)/
Against at Object.<anonymous> (/app/index.js:42:7), captures function name, file path, line number, and column.
15. HTTP log status code extraction
/"\w+\s+\S+\s+HTTP\/[\d.]+" (\d{3})/
Pulls the 3-digit status from a Combined Log Format line like "GET /api/users HTTP/1.1" 200.
16. Git commit hash (short or full)
/\b[0-9a-f]{7,40}\b/g
Matches abc1234 and a3b2c1d4e5f6... alike. The 7-character minimum avoids matching hex color codes and UUIDs (which are longer or differently formatted).
17. Match duplicate consecutive words
/\b(\w+)\s+\1\b/gi
Finds "the the", "is is" — catches common copy-paste typos in documentation. Group 1 stores the word; \1 back-references it.
18. Camel-case to kebab-case conversion
/([A-Z])/g → replace with '-$1'.toLowerCase()
camelCaseString → camel-case-string. In JavaScript: str.replace(/([A-Z])/g, '-$1').toLowerCase().
Date, Time, and Number Patterns
19. 12-hour time with optional AM/PM
/^(0?[1-9]|1[0-2]):[0-5]\d(\s?[AaPp][Mm])?$/
Accepts 3:45 PM, 03:45pm, and 3:45 (24h-ambiguous).
20. Credit card number (basic Luhn-format groups)
/^(\d{4}[- ]){3}\d{4}$/
Matches 4111 1111 1111 1111 and 4111-1111-1111-1111. Combine with a Luhn checksum function for real validation; this pattern only checks the shape.
21. Decimal number with optional sign and thousands separator
/^-?(\d{1,3}(,\d{3})*)(\.\d+)?$/
Accepts -1,234,567.89. Rejects 1,23 (wrong grouping).
Security and Encoding Patterns
22. Detect a Base64 string
/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?$/
Validates padding. An empty string also matches, so add a minimum-length check in practice.
23. Match a potential SQL injection fragment
/('(''|[^'])*')|(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE)\b)/i
This is a canary pattern for WAF logging, not a complete defense. Real SQL injection prevention requires parameterized queries.
24. Password strength check (8+ chars, upper, lower, digit, symbol)
/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z\d]).{8,}$/
Uses four lookaheads, each independently checking for one character class.
25. Detect catastrophic backtracking (ReDoS) risk
/(a+)+$ or (\d+)+$ or (a|aa)+$/
These patterns themselves are the danger signals — if you spot them in a code review, the exponential backtracking they trigger is what took Cloudflare's entire network offline for 27 minutes in July 2019 (per Cloudflare's public post-mortem). The fix is to rewrite the quantifiers to be atomic or possessive, or switch to a linear-time engine.
How to Test These Patterns Without Leaving the Browser
Copy any pattern above and paste it into the Regex Tester. You get instant match highlighting, capture-group panels, and a replace-preview field — no Node.js shell session or Python REPL required. For bulk extraction tasks (pulling all emails or dates from a pasted document), the Regex Match Extractor does the heavy lifting: paste your text, enter the pattern, and download every match as a plain list.
One workflow I find genuinely useful: draft a pattern in the Regex Tester until it handles all your edge cases, then copy it directly into the Match Extractor against your real dataset. Both tools run entirely in the browser, so no text leaves your machine.
A Note on Flavor Differences
JavaScript uses /pattern/flags literals and does not support named backreferences with \k<name> in older engines (it landed in ES2018). Python's re module and PCRE (used by PHP, Nginx, and most server-side tools) support more features — possessive quantifiers, atomic groups, variable-length lookbehinds — so a pattern that works in one flavor may need minor rewriting in another. When in doubt, test in the target environment.
These 25 patterns cover roughly 90% of the regex work I encounter in day-to-day backend and frontend development. Pin the ones relevant to your stack, and reach for the tester whenever you need to adapt them to a new input format.
Made by Toolora · Updated 2026-06-27