This question already has an answer here:
I'm having trouble understanding the logic in the regular expression inside the preg_replace function. Specifically, I'm having trouble understanding the use of the caret inside the brackets. If I type a single letter/number that matches any letter/number in the username column, I'll get a match for that row. When I remove the caret, even when I don't search for anything, everything in my db matches. Can someone please elaborate on what's going on here? Thanks.
$searchq = $_POST['search'];
$searchq = preg_replace("/[^0-9a-z]/i","",$searchq );
$query = mysqli_query($conn, "SELECT * FROM people ".
"WHERE username LIKE '%$searchq%'") or die('Could not search.');
</div>
In basically every regex flavour, the square brackets [] denote a character class, which will match one instance of any character in it. A character class starting with a caret ^ is negated - i.e. it will match a single instance of any character that is not in it.
In this case, your character class will match any character that isn't a number or lowercase letter. Because your regex is in ignore-case mode (the i modifier), it'll match any character that isn't a number or ASCII letter (either upper or lowercase), and the preg_replace will strip it out by replacing it with the empty string ("").
[^0-9a-z] is a character class ([]). ^ in a character class is negation, aka "not", so literally it's saying "match anything that is NOT a digit or an alphabetical character.