Medoo internal regex alters my insertion values

[oscarsalesdev]

Information

• Version of Medoo: 2.1.7
• Version of PHP: 8.2
• Type of Database (MySQL, MSSQL, SQLite...): MySQL
• System (Liunx|Windows|Mac): Linux

Describe the Problem I was running an INSERT query with a string value like '\xxxxx@xxx.com\', and Medoo replaced my < > with quotes leaving it like "xxxxx@xxxx"."com".

After investigating, I found line 664 (function buildRaw), this function is applying a pregreplace to the query: '/(([`\']).?)?((FROM|TABLE|INTO|UPDATE|JOIN|TABLE IF EXISTS)\s)?\<(([\p{L}][\p{L}\p{N}@$#-]*)(.[\p{L}][\p{L}\p{N}@$#-_])?)>([^,]?\2)?/u'

This regex is also modifying string values inside single quotes 'xxxxx', so I asked ChatGPT to fix it 😂 It gave me this:

'/(([`\']).?)?((FROM|TABLE|INTO|UPDATE|JOIN|TABLE IF EXISTS)\s)?(?!\')<(([\p{L}][\p{L}\p{N}@$#-])(.[\p{L}][\p{L}\p{N}@$#-])?)(?!\')([^,]*?\2)?/u'

And it works! I haven't tested if it causes other problems, but for now so far everything's working fine and the bug is solved.

Detail Code

Simply run this query:

$db->query("INSERT INTO table ( column ) VALUES ( '<C5TBEC76-9DC0-4758-9FA1-21DDO6B91D59@mail.com>' )");

Expected output It should save exactly what you write, but instead, If you check the database after insertion, you will see: "C5TBEC76-9DC0-4758-9FA1-21DDO6B91D59@mail"."com"

** I know that parameters shouldn't be passed like that, directly in the string, but doesn't change the fact that Medoo shouldn't alter the value in this way, so I assumed it's a bug.

[catfan]

The <xxx> is the column and table syntax for query(). If you want to insert a value included <xxx>, it's recommended to use prepared statement. It will be safer.

Check out the Prepared Statement section. https://medoo.in/api/query