When not to use a regex

Published 2017-08-13 on Drew DeVault's blog

The other day, I saw Learn regex the easy way. This is a great resource, but I felt the need to pen a post explaining that regexes are usually not the right approach.

Let’s do a little exercise. I googled “URL regex” and here’s the first Stack Overflow result:

https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)

source

This is a bad regex. Here are some valid URLs that this regex fails to match:

  • http://x.org
  • http://nic.science
  • http://名がドメイン.com (warning: this is a parked domain)
  • http://example.org/url,with,commas
  • https://en.wikipedia.org/wiki/Harry_Potter_(film_series)
  • http://127.0.0.1
  • http://[::1] (ipv6 loopback)

Here are some invalid URLs the regex is fine with:

  • http://exam..ple.org
  • http://–example.org

This answer has been revised 9 times on Stack Overflow, and this is the best they could come up with. Go back and read the regex. Can you tell where each of these bugs are? How long did it take you? If you received a bug report in your application because one of these URLs was handled incorrectly, do you understand this regex well enough to fix it? If your application has a URL regex, go find it and see how it fares with these tests.

Complicated regexes are opaque, unmaintainable, and often wrong. The correct approach to validating a URL is as follows:

from urllib.parse import urlparse

def is_url_valid(url):
    try:
        urlparse(url)
        return True
    except:
        return False

A regex is useful for validating simple patterns and for finding patterns in text. For anything beyond that it’s almost certainly a terrible choice. Say you want to…

validate an email address: try to send an email to it!

validate password strength requirements: estimate the complexity with zxcvbn!

validate a date: use your standard library! datetime.datetime.strptime

validate a credit card number: run the Luhn algorithm on it!

validate a social security number: alright, use a regex. But don’t expect the number to be assigned to someone until you ask the Social Security Administration about it!

Get the picture?

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~sircmpwn/public-inbox@lists.sr.ht [mailing list etiquette]

I write software. Occasionally, I will compose a post for this blog.

~sircmpwn

ddevault

@sir@cmpwn.com

sir@cmpwn.com

7BC79407090047CA

Recent Posts

2018-12-04
How to abandon a FLOSS project
2018-11-15
sr.ht, the hacker's forge, now open for public alpha
2018-10-30
It's not okay to pretend your software is open source

My Work

A few interesting projects:

Sway, an i3-compatible tiling Wayland compositor
KnightOS, a Unix-like operating system for calculators
TrueCraft, a Minecraft beta 1.7.3-compatible game
aerc, a hackable asynchronous email client for your terminal
pass-rotate, the youtube-dl of automated password rotation

Consulting

Click here to learn about my consulting services.

Donate

Click here for information about donating to support my work.

License

The content for this site is CC-BY-SA. The code for this site is MIT.