"Not everyone can do that, mainly because nobody knows how to write a Regex" TBH this got me off guard!! I even choked on my own saliva for a brief moment. In the end, still very educational and fantastic content as usual sir!

I know this video wasn't about email... but... I think MS or some other people have determined there is no way to really verify an email with a regex. I think even MS changed it so they basically look for a single @ in the string to call it valid email format. The way to validate it is to send an email with a confirmation link. :)

In the cybersecurity, abusing regex like this is a category of DoS attacks called a ReDoS

The is an old saying: If you have a problem that requires Regex then you now have two problems.

If you have a problem and you have a solution via Regex - now you have two problems

Everything I see on your channel is super interesting and special. I never knew about those issues, but it is nice to know how to fix them. Sharing this with my colleagues.

that regex visualization site is really cool

Excellent video and great advice. We've fallen prey to this twice in the past. First an attack directly against one of our APIs and then during Cloudflare's global outage due to a bad regex on their side (not our fault in this case, but still an outage). At the time we changed the regex, but there are only a handful of people who know how to do this confidently on a complex regex. I really like these "safety net" approaches.

What's the downside to using NoBacktracking? Or rather, what would be a scenario where you would not want to use it?

Chapas flexing with 32 cores on us mortals @4:52

this kinda thing has been really useful keep it up bro

Amazing find sir. I had no idea backtracking can be so dangerous. Thank you so much for creating this video.

Regex is a super powerful. I just wish people would format it a little bit more. Usually I see regex and it is just a line of characters. RegEx code can be much easier to read when there is spacing, multiple lines, using different indenting, adding comments, etc. Programmers don't put CSharp code in a single line with no spaces or comments but in regex this is accepted. (and because its hard to read it's impossible to see any performance issues it might have)

That timeout option is quite cool when you know how long a normal regex will take to pass even under load. Plan to use it next time If makes sense when I write regex.

just a note: don't try to validate emails. It's nearly impossible to check if a mail is valid because so many special cases exist where it looks invalid but still is valid.

10 seconds to check if a given string is a valid e-mail? Sounds great! I mean I could do it with a little custom algorithm with ~0.001µs, but hey, it's regex!! We all love regex, don't we guys?! An E-Mail is setup like this: [text]@[domain].[ending] - Either split at the @ or get the index of it. If the result is !=2 elements in the array or -1 as index, you have either no @ or more than 1. Both should return "false" for the check. After that you get the last index of "." (apparently you can have multiple dots?). If it's -1, return false. Otherwise first part is the domain, the second part is the ending. Here you can verify if it's a valid e-mail address. It's really simple... I thought everybody would do this? Why even bother with Regex for this?

Very nice, as usual. Keep it up!

nice call on the Regex problem!

ooh very cool i just started doing my phd on symbolic automata regex. glad to see it being relevant

Very usefull video. Didn't know about this problem

Thanks for the insight nick

Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems. ~ Jamie Zawinski

The best way to avoid issues with Regex is to not use it; and to avoid people that do use it!🙃

Thank u for this ❤❤

Brilliant!

Few years ago I had to check if an HTML string contained any email addresses using Regex. Needless to say, I had to reboot the Azure server after pushing to production 😂

I wonder if the Source Generator version was slower because it was compiled as debug. Maybe the dynamic compiled version generate optimized version regardless of compilation mode.

Thanks!

Great video as always! Personally I avoid Regex like the devil - it always takes so long to read and understand them in code.

What a subtle way to show us that you have a RTX 4090 :)

DataAnnotations should be safe as RegularExpressionAttribute has a default timeout of 2s (at least from .NET 5, idk before)

6:36 I felt it

Regex are not extremely hard lol. If you study them for about a week you should be able to create very powerful stuff. And also the secret to regexes in my opinion is to separate them in little chunks. When you study them you definitely learn what Nick is describing. I don't regret learning/using regexes. I also agree that they are not the most efficient option but if you understand what you are doing it saves a lot of time.

Excellent video as usual! I was wondering if anyone knows of any resources on how to scan Assemblies, I trying to build a setup for a minimal api project I am working on. I would like to pull all the classes that are using a particular interface or interfaces, register them in the IoC, so that it kind of auto-magically works. Do you Nick have any videos on this, or anyone know of anywhere I can look. Everything I have found are particular use cases. Sorry new to C#, I could figure it out I sure given enough time, just looking to speed up development a little and make the code a little more organized. Again great content. You have taught me more in the last month than I have learned in a year, and its more than beginner level, loving it.

Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.

I find it funny that people keep saying "nobody knows how to write RegEx", because I don't find it TOO difficult. I mean it still takes me a while to do anything remotely complex, but like, it's manageable imo. Usually I will have RegExr open in another tab, since it contains a cheat sheet with the most important features, and it quickly lets me validate that my RegEx works the way it should

Developer has a problem. Developer uses RegEx Developer now has 2 problems. :)

This kind of behaviour is frequently solved by using lazy capture instead of greedy capture, for example instead of using ()+ you should use ()+? I can see at least one greedy capture group in the shown expression. You should always try to avoid greedy captures, because of backtracking. Use ()*? or ()+? instead of ()* or ()+

Well it worth to also read RFC 2821 and very quickly it will be get clear that regular expressions are bad tool for email validation - variety of options for names and domain names is so huge that it makes almost no sense to check beyond the point that there's "@" that isn't preceded by "\" character somewhere in the middle there.

I use Regex for small strings with simple use cases,

These patterns overuse capturing groups. (x) should be (?:x) more often than not, i.e. non-capturing groups. It makes a ton of difference in regards to bloat and lag.

2:30 that is very some bad and inefficient code for that pattern. I'm guessing this tool is more to break down what the various regex implementations will do in an easy to understand manner, rather than to generate something actually worth using. I had looked at the specification of email addresses some time ago, I wanted to know what was valid, and how sub addressing was defined. Just the bits in common use are very complicated, and that's before you get to all the weird emails that no one sane would use, but are actually allowed by the standard, such as using quotes, escaping quotes inside the quotes, double @'s, non-ascii symbols, a % to set the route, sub addressing, etc. What the standard allows is insane, and trying to handle it via regex is a fool's errand. You're way better off writing a small program (or library) for the dedicated purpose of validating emails, by having it identify fragments, and validating them as defined.

What's the backdraws of nobacktracking?

Once again I've opened a PR during the video 😅

Thanks for the video, i already started using timeouts for regex wherever possible. However I don't fully understand what the non-backtracking option does. Why does it change the performance of the regex and what changes with the results?

Wow that's a monster computer! Too many cores

I love that regex for email... and it doesn't work, because email cannot be parsed by regex.

Hey Nick, does SQL validation also increase exponentially with more records. Can you share any document link which proves the same?

Validating emails is so ubiquitous that I wonder why tf Regex can't have a special symbol onyl for emails xD

My second biggest takeaway from this video is that Nick already has himself a RTX 4090 LOL

I've never decided to bother with regex. I see how it can be useful but its a clustered mess. Debugging and code maintenance would be a nightmare. I've done a lot of parsing and I doubt regex would be able to handle some of the inputs I've dealt with. For instance receipts with various formats printed that are cut off mid receipt and with inconsistent headers/footers scanned in low quality into an image format and placed into a pdf on which I would have to use OCR to extract the text. If you can imagine all the text is scrambled 5's tur in into S's 1's turn into I's etc. Sometimes characters are missing and you cant really rely on identifiable tags.

It happened to froze my browser tab while testing a regex for matching file paths (in JS). It wasn't because of the length of the input but more like some spaces in the input. Why does it use backtracking? Can it be avoided with the format of the regex? If you use something as simple as /w0rd/ is it still going to use backtracking?

My rule of thumb is: if possible avoid regex. Hard to write. Extremely hard to read for others. If you use proper typed data you will not need it. And no matter how much effort you put into testing and thinking about edge cases: there are sittlich too many times it will fail. For many strings there are alternative ways to verify them: IP address, URI, file path… very often the need to regex is based an a bad design or due to have to connect to legacy systems.

Soo you got the 4090, wondering what king of games you are playing :P

To me, Regex has always had the smell of something confusing to use, that I never really cared for. I'm looking forward to a replacement that humans can actually read.

I've tried this regex with php preg_match and it works fine I don't know if it's CSharp specific or what?

Thats odd. I wrote a longer comment and saw it in the comments but then it disappeared after a few minutes. Maybe the KZbin engine removed it after post-processing?

Which version is the NonBacktracking enum in? I'm targeting .Net framework 4.8 and it can't seem to find it (VS2022 automatically selects the language version, but even when forced to C# 8 it fails to find it).

Well what is the saying "If you try to solve one problem with RegEx you have now two problems!"

In some cases, I write my own algorithm to scan the string, so I can actually debug that.

Regex is very easy to do tbh, the nonbacktracking option affects the result??

Nice RTX4090 & 128gb ram, bro!

Does anyone acutely know how to use Regex

No backtracking will break the regex.

Regex kills my brain so why not the computer too

Wut? You already have RTX 4090? 5:00

Hate regex! If you re-engineer foreign code you will never know what was intended to validate for. The LIKE operator is not that flexible but I could always validate everything (maybe with a sequence of LIKE-lines - and it was human readable)

128 GB RAM? Yikes...

If you decide to solve the problem with regular expressions... You now have two problems: the original problem and the regular expression. It's an old joke....

Clicked so fast

Nick I know regex 😊 stop saying that if you don't man 😂 PS. just kidding ... I just can write regex but after a while only god knows what it is doing 😂😅

Nice seeing you in person @dotnetdays. Keep doing great things! You're awesome!

nick@n.n.n.n.n.n.n.n.n.c should be a CPU benchmark.

how about - don't do regex?... i know crazy, but with emails check if there is "@" symbol if it is, cool, accept it. applications should try to send you that email to continue with whatever you want. want to register? cool - type in the verification code? want to recover your account? cool, click on the link in your email. at the end of the day that's what truly validates your email address - you get an email.

Brb gonna go try signing up to everything with nick@n.n.n.n.n.n.n.n.n.n.n.n.n.n.n.c