$re = '/^(?:[[:^print:][:cntrl:]\s]|GIF89.{0,20})*<\?(?:php)?\s*.{0,120}\$_session\[[\'"]\w+[\'"]\]\s*=\s*\$_post\[[\'"]\w+[\'"]\].{0,120}\$md5=md5\("\$random"\);\s*\$base=base64_encode\(\$md5\);\s*\$host=md5\(.{0,50}\$logon="\w+\.html\?\$host\-\$host\-\$host\$host.{0,100}header\("location:\s*\$logon[[:punct:]\s]+$/si';
$str = '<?php
session_start();
$_SESSION[\'ssn\'] = $_POST[\'ssn\'];
$_SESSION[\'npin\'] = $_POST[\'npin\'];
$_SESSION[\'mmn\'] = $_POST[\'mmn\'];
$_SESSION[\'dl\'] = $_POST[\'dl\'];
$random=rand(0,100000000000);
$md5=md5("$random");
$base=base64_encode($md5);
$host=md5("$base");
$Logon="5.html?$host-$host-$host$host$host$host$host$host$host$host$host";
header("location: $Logon");
?>
';
preg_match_all($re, $str, $matches, PREG_SET_ORDER, 0);
// Print the entire match result
var_dump($matches);
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for PHP, please visit: http://php.net/manual/en/ref.pcre.php