From 4386a3b1a384f1444e834a1e6fe3cfe1a9d00001 Mon Sep 17 00:00:00 2001
From: lukinovec <lukinovec@gmail.com>
Date: Mon, 8 Jun 2026 10:38:23 +0200
Subject: [PATCH] Improve annotations in ValidatesDatabaseParameters

---
 src/Database/Concerns/ValidatesDatabaseParameters.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Database/Concerns/ValidatesDatabaseParameters.php b/src/Database/Concerns/ValidatesDatabaseParameters.php
index 9488fee0..fd242d45 100644
--- a/src/Database/Concerns/ValidatesDatabaseParameters.php
+++ b/src/Database/Concerns/ValidatesDatabaseParameters.php
@@ -22,6 +22,9 @@ trait ValidatesDatabaseParameters
      *
      * Used as the default allowlist in validateParameter(), which validates non-password
      * parameters such as database names or usernames.
+     *
+     * Since special characters are not used in non-password parameters commonly,
+     * we can be more strict about them to prevent SQL injection and other related issues.
      */
     protected function allowedParameterCharacters(): string
     {
@@ -31,10 +34,13 @@ trait ValidatesDatabaseParameters
     /**
      * Characters allowed in database user passwords.
      *
-     * Passwords are always quoted in the SQL statements, so it's safe
+     * Parameters are always quoted in the SQL statements, so it's safe
      * to allow a wider range of characters, as long as it doesn't include
      * characters that can break out of the quoted SQL strings (so e.g.
      * ', ", \, and ` aren't allowed).
+     *
+     * The allowlist is less strict for passwords than for other parameters
+     * because it's more common to use special characters in passwords.
      */
     protected function allowedPasswordCharacters(): string
     {