What's scary here is that PHP returns 0 (meaning no match found) rather than FALSE, which is the error return value of preg_match. It's this attitude of failing silently that makes PHP feel like a dangerous language.
Granted, it's smart that PHP does have a default backtrack limit. I believe this would have prevented errors like the django forms DoS vulnerability from a while back.
Perl has taken care to address some of these issues. See 'Algorithmic Complexity Attacks' in perldoc perlsec. For example, the keys of a hash table are guaranteed to be returned in random order, to prevent hash collision attacks on the hashing algorithm itself.
It appears they punt on the particular issue of regex's running out of memory though. Developers are told "careful crafting of the regular expressions can help," and told to read "Mastering Regular Expressions."
As I recall, Boost's regex library will throw an exception if evaluation of the regex is getting out of hand.
It's funny, I generally judge a regex library on how compatible it is with perl's implementation. In this case though, I might actually prefer the behavior of Boost and PCRE.
This pattern is usually attributed to the famous Perl hacker, Abigail. Abigail is also noted as one of the people who popularized the idea of a JAPH. That is a short piece of Perl that prints out "Just another Perl hacker". For instance the very misleadingly commented:
$; # A lone dollar?
=$"; # Pod?
$; # The return of the lone dollar?
{Just=>another=>Perl=>Hacker=>} # Bare block?
=$/; # More pod?
print%; # No right operand for %?
Granted, it's smart that PHP does have a default backtrack limit. I believe this would have prevented errors like the django forms DoS vulnerability from a while back.