archtechx/tenancy
1
0
Fork 0
mirror of https://github.com/archtechx/tenancy.git synced 2026-06-20 22:54:05 +00:00
Code Activity

Improve annotations in ValidatesDatabaseParameters

Browse source
This commit is contained in:
lukinovec 2026-06-08 10:38:23 +02:00
parent b7045c52d8
commit 4386a3b1a3
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/Database/Concerns/ValidatesDatabaseParameters.php
View file

@ -22,6 +22,9 @@ trait ValidatesDatabaseParameters
* *
* Used as the default allowlist in validateParameter(), which validates non-password * Used as the default allowlist in validateParameter(), which validates non-password
* parameters such as database names or usernames. * parameters such as database names or usernames.
*
* Since special characters are not used in non-password parameters commonly,
* we can be more strict about them to prevent SQL injection and other related issues.
*/ */
protected function allowedParameterCharacters(): string protected function allowedParameterCharacters(): string
{ {
@ -31,10 +34,13 @@ trait ValidatesDatabaseParameters
/** /**
* Characters allowed in database user passwords. * Characters allowed in database user passwords.
* *
* Passwords are always quoted in the SQL statements, so it's safe * Parameters are always quoted in the SQL statements, so it's safe
* to allow a wider range of characters, as long as it doesn't include * to allow a wider range of characters, as long as it doesn't include
* characters that can break out of the quoted SQL strings (so e.g. * characters that can break out of the quoted SQL strings (so e.g.
* ', ", \, and ` aren't allowed). * ', ", \, and ` aren't allowed).
*
* The allowlist is less strict for passwords than for other parameters
* because it's more common to use special characters in passwords.
*/ */
protected function allowedPasswordCharacters(): string protected function allowedPasswordCharacters(): string
{ {