← Back to glossary

PCRE in PHP

Q: How do I fix PCRE in PHP?

Use named captures (?P\d{4}) for readable matches; always add the u flag for Unicode strings; test with preg_last_error() to detect PCRE failures silently returning false

regex PHP 5.0+ Intermediate

Also Known As

preg_match preg_replace preg_split PHP regex functions

TL;DR

preg_match, preg_match_all, preg_replace, preg_split — and checking === false to distinguish errors from no-match.

Explanation

PHP regex functions: preg_match() returns 1/0/false. preg_match_all() returns count or false. preg_replace() returns string or false. preg_replace_callback() for callback replacement. preg_split() splits by pattern. preg_grep() filters arrays. preg_quote() escapes metacharacters for literal matching. All return false on error — use preg_last_error_msg(). Use $1 not \1 in replacement strings. PCRE caches compiled patterns.

Common Misconception

✗ preg_match returns true/false — preg_match returns 1 (match found), 0 (no match), or false (error in pattern); always use === false to distinguish errors from no-match.

Why It Matters

Using if (!preg_match()) conflates no-match (0) with error (false) — pattern errors silently appear as no-match without strict === false checking.

Common Mistakes

if (!preg_match()) treating error same as no-match — use === false
Not using preg_quote() for user-supplied literal strings
\1 instead of $1 in preg_replace replacement — use $1
Building regex from unescaped user input — regex injection

Code Examples

✗ Vulnerable

// Silent error — pattern error looks like no-match:
$result = preg_match('/(?P<n>[a-z]+/i', $subject); // Missing )
if (!$result) {
    echo 'No match'; // Actually: broken pattern!
}

// User input without escaping — regex injection:
$search = $_GET['q']; // User enters: a+b
preg_match("/{$search}/", $text); // + is a metachar!

✓ Fixed

// Detect errors explicitly:
$result = preg_match('/^[a-z]+$/', $subject);
if ($result === false) {
    throw new RuntimeException('Regex error: ' . preg_last_error_msg());
}
if ($result === 0) { /* no match */ }

// Safe user input as literal:
$escaped = preg_quote($_GET['q'], '/');
$found   = preg_match("/{$escaped}/i", $text); // Metacharacters escaped

References

↗ https://www.php.net/manual/en/book.pcre.php

Tags

regex php

Added 16 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,445 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

Amazonbot 9 Perplexity 5 Unknown AI 2 Ahrefs 2 Google 1

Also referenced

Regex Performance 21 Named Capture Groups 18 Regex Flags & Modifiers 18

How they use it

crawler 19

Related categories

regex 342

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: Medium

⚡ Quick Fix

Use named captures (?P<year>\d{4}) for readable matches; always add the u flag for Unicode strings; test with preg_last_error() to detect PCRE failures silently returning false

📦 Applies To

PHP 5.0+ web cli queue-worker

🔗 Prerequisites

Input Validation vs Output Encoding PHP Data Types Denial of Service (DoS)

🔍 Detection Hints

preg_match without checking return value for false; regex without /u flag on Unicode input; no PCRE backtrack limit resulting in silent failure

Auto-detectable: ✓ Yes phpstan psalm semgrep

⚠ Related Problems

Denial of Service (DoS) Input Validation vs Output Encoding PHP Data Types

🤖 AI Agent

Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: Function Tests: Update

CWE-400