Medoo internal regex alters my insertion values

[oscarsalesdev]

Information

• Version of Medoo: 2.1.7
• Version of PHP: 8.2
• Type of Database (MySQL, MSSQL, SQLite...): MySQL
• System (Liunx|Windows|Mac): Linux

Describe the Problem
I was running an INSERT query with a string value like '<[email protected]>', and Medoo replaced my < > with quotes leaving it like "xxxxx@xxxx"."com".

After investigating, I found line 664 (function buildRaw), this function is applying a preg_replace to the query:
'/(([`']).?)?((FROM|TABLE|INTO|UPDATE|JOIN|TABLE IF EXISTS)\s)?<(([\p{L}][\p{L}\p{N}@$#-])(.[\p{L}][\p{L}\p{N}@$#-])?)>([^,]*?\2)?/u'

This regex is also modifying string values inside single quotes 'xxxxx', so I asked ChatGPT to fix it 😂 It gave me this:

'/(([`']).?)?((FROM|TABLE|INTO|UPDATE|JOIN|TABLE IF EXISTS)\s)?(?<!')<(([\p{L}][\p{L}\p{N}@$#-])(.[\p{L}][\p{L}\p{N}@$#-])?)>(?!')([^,]*?\2)?/u'

And it works! I haven't tested if it causes other problems, but for now so far everything's working fine and the bug is solved.

Detail Code

Simply run this query:

$db->query("INSERT INTO table ( column ) VALUES ( '<[email protected]>' )");

Expected output
It should save exactly what you write, but instead, If you check the database after insertion, you will see:
"C5TBEC76-9DC0-4758-9FA1-21DDO6B91D59@mail"."com"

** I know that parameters shouldn't be passed like that, directly in the string, but doesn't change the fact that Medoo shouldn't alter the value in this way, so I assumed it's a bug.

[catfan]

The <xxx> is the column and table syntax for query(). If you want to insert a value included <xxx>, it's recommended to use prepared statement. It will be safer.

Check out the Prepared Statement section.
https://medoo.in/api/query