← All articles · April 27, 2026 · fmt.hjlabs.in

Regex Cheatsheet: 50 Patterns Every Dev Should Know

Regular expressions remain the fastest way to validate, extract, and replace text in 2026. Here are 50 patterns you'll actually use, with explanations and the corner cases that catch people out. Test all of these in our regex tester.

Validation

1. Email (practical)

^[\w.!#$%&'*+/=?^`{|}~-]+@[A-Za-z0-9](?:[A-Za-z0-9-]{0,61}[A-Za-z0-9])?(?:\.[A-Za-z0-9](?:[A-Za-z0-9-]{0,61}[A-Za-z0-9])?)+$

The full RFC 5322 regex is multi-page and impractical. This covers 99.9% of real emails. Or just check for @ and send a verification email.

2. URL (http/https)

^https?:\/\/[\w.-]+(?::\d+)?(?:\/[^\s]*)?$

3. IPv4

^((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?)$

4. IPv6 (compact)

^(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|::(?:[0-9a-fA-F]{1,4}:){0,6}[0-9a-fA-F]{1,4})$

5. Indian phone (10 digits, optional +91)

^(\+91[\s-]?)?[6-9]\d{9}$

6. US phone (with formatting)

^\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}$

7. Strong password (8+, uppercase, lowercase, digit, special)

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*]).{8}$

8. Date (YYYY-MM-DD, ISO 8601)

^\d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])$

9. Time (HH:MM, 24-hour)

^([01]\d|2[0-3]):[0-5]\d$

10. ISO 8601 datetime with Z

^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z$

11. Credit card (Luhn-eligible format)

^\d{13,19}$

Format check only. Always run Luhn algorithm afterward.

12. Indian PAN

^[A-Z]{5}\d{4}[A-Z]$

13. Indian Aadhaar (12 digits, formatted)

^\d{4}[\s-]?\d{4}[\s-]?\d{4}$

14. Indian GSTIN

^\d{2}[A-Z]{5}\d{4}[A-Z]\d[Z][\dA-Z]$

15. Indian PIN code

^[1-9]\d{5}$

16. UUID v4

^[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89ab][a-f0-9]{3}-[a-f0-9]{12}$

17. Hex color

^#([A-Fa-f0-9]{3}){1,2}$

18. Slug (URL-friendly)

^[a-z0-9]+(?:-[a-z0-9]+)*$

19. Username (3-20 chars, alphanumeric+underscore)

^[a-zA-Z0-9_]{3,20}$

20. ISBN-10 or ISBN-13

^(?:ISBN(?:-1[03])?:?\s)?(?=[-0-9X\s]{10,17}$)\d{1,5}[-\s]?\d{1,7}[-\s]?\d{1,7}[-\s]?[\dX]$

Extraction

21. All URLs from text

https?:\/\/[\w.-]+(?:\/[^\s]*)?

22. All hashtags

#[A-Za-z0-9_]+

23. All @mentions

@[A-Za-z0-9_]{1,15}

24. All email addresses

[\w.!#$%&'*+/=?^`{|}~-]+@[\w-]+\.[\w.-]+

25. Markdown links — extract text and URL

\[([^\]]+)\]\(([^)]+)\)

26. HTML tags (any)

<[^>]+>

Don't actually parse HTML with regex. Use a parser. This is for tag-stripping only.

27. Numbers (signed, decimal)

-?\d+(?:\.\d+)?

28. Quoted strings ("..." or '...')

"[^"]*"|'[^']*'

29. JSON values inside text

\{[^{}]*\}|\[[^\[\]]*\]

Doesn't handle nesting. Use a real JSON parser for that.

30. CSV row split (handles quoted commas)

("([^"]|"")*"|[^]*)(,|$)

Cleanup / replace

31. Strip HTML tags

<[^>]*>

32. Collapse multiple whitespace

\s+

33. Trim leading/trailing whitespace

^\s+|\s+$

34. Remove leading zeroes

^0+(?=\d)

35. Remove non-printable characters

[^\x20-\x7E]

36. Convert camelCase to snake_case (capture letter)

([a-z])([A-Z])  →  $1_$2 (then toLowerCase)

37. Remove HTML comments

<!--[\s\S]*?-->

38. Strip emoji

[\u{1F600}-\u{1F64F}\u{1F300}-\u{1F5FF}\u{1F680}-\u{1F6FF}\u{2600}-\u{26FF}]/u

39. Find duplicate words

\b(\w+)\b\s+\1\b

40. Remove zero-width characters

[\u200B-\u200D\uFEFF]

Programming-specific

41. Match a specific function call

console\.log\([^)]*\)

42. Match TODO/FIXME comments

(?:\/\/|#)\s*(TODO|FIXME|HACK|XXX):?\s*(.*)

43. Match SQL injection signatures (basic)

('(\\\\.|[^'\\\\])*'|--|\b(union|select|insert|update|drop)\b)/i

This is for logging/alerting only. Use parameterised queries — never trust regex for SQL injection prevention.

44. Match log line (timestamp + level + message)

^(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.?\d*Z?)\s+(\w+)\s+(.*)$

45. Match version (semver)

^\d+\.\d+\.\d+(-[\w.]+)?(\+[\w.]+)?$

46. Match git commit hash (short or full)

\b[a-f0-9]{7,40}\b

47. Match base64 token

^[A-Za-z0-9+\/=]+$

48. Match JWT (header.payload.signature)

^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$

49. Match a CSS color (hex, rgb, hsl)

(#[A-Fa-f0-9]{3,8}|rgba?\([^)]*\)|hsla?\([^)]*\))

50. Match SQL identifier (table/column name)

^[A-Za-z_][A-Za-z0-9_]*$

Common gotchas

  1. Anchors. ^ and $ in multiline mode (m) match per-line, not per-string.
  2. Greedy vs lazy. .* matches as much as possible. Use .*? for minimum match.
  3. Unicode. \w only matches ASCII word chars by default. Use \p{L} with the u flag for Unicode letters.
  4. Backtracking. Catastrophic regex like (a+)+b on aaa... hangs the engine. Test with potential adversarial input.
  5. Don't parse HTML/JSON. Use proper parsers. Regex is for flat patterns, not nested structures.

Bottom line

Regex is a power tool — sharp and precise. Bookmark this list. Test every pattern in our regex tester with realistic input before deploying. And remember: when regex starts feeling impossible, switch to a proper parser.

Try the free dev tools suite

15+ tools. 100% client-side. No signup. No tracking.

Browse all tools →

More from the blog