Use parameter binding in SELECT queries

2026-05-06 15:24:03 +00:00 · 2026-04-29 10:21:47 +02:00 · 2026-04-29 10:21:47 +02:00 · ad7d229daf
commit ad7d229daf
parent 808f52765c
8 changed files with 10 additions and 10 deletions
--- a/src/Database/Concerns/ManagesPostgresUsers.php
+++ b/src/Database/Concerns/ManagesPostgresUsers.php
@ -77,6 +77,6 @@ trait ManagesPostgresUsers

    public function userExists(string $username): bool
    {
-        return (bool) $this->connection()->select("SELECT usename FROM pg_user WHERE usename = '{$username}'");
+        return (bool) $this->connection()->select("SELECT usename FROM pg_user WHERE usename = ?", [$username]);
    }
 }
--- a/src/Database/TenantDatabaseManagers/MicrosoftSQLDatabaseManager.php
+++ b/src/Database/TenantDatabaseManagers/MicrosoftSQLDatabaseManager.php
@ -22,6 +22,6 @@ class MicrosoftSQLDatabaseManager extends TenantDatabaseManager

    public function databaseExists(string $name): bool
    {
-        return (bool) $this->connection()->select("SELECT name FROM master.sys.databases WHERE name = '$name'");
+        return (bool) $this->connection()->select("SELECT name FROM master.sys.databases WHERE name = ?", [$name]);
    }
 }
--- a/src/Database/TenantDatabaseManagers/MySQLDatabaseManager.php
+++ b/src/Database/TenantDatabaseManagers/MySQLDatabaseManager.php
@ -24,6 +24,6 @@ class MySQLDatabaseManager extends TenantDatabaseManager

    public function databaseExists(string $name): bool
    {
-        return (bool) $this->connection()->select("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = '$name'");
+        return (bool) $this->connection()->select("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = ?", [$name]);
    }
 }
--- a/src/Database/TenantDatabaseManagers/PermissionControlledMicrosoftSQLServerDatabaseManager.php
+++ b/src/Database/TenantDatabaseManagers/PermissionControlledMicrosoftSQLServerDatabaseManager.php
@ -42,7 +42,7 @@ class PermissionControlledMicrosoftSQLServerDatabaseManager extends MicrosoftSQL

    public function userExists(string $username): bool
    {
-        return (bool) $this->connection()->select("SELECT sp.name as username FROM sys.server_principals sp WHERE sp.name = '{$username}'");
+        return (bool) $this->connection()->select("SELECT sp.name as username FROM sys.server_principals sp WHERE sp.name = ?", [$username]);
    }

    public function makeConnectionConfig(array $baseConfig, string $databaseName): array
--- a/src/Database/TenantDatabaseManagers/PermissionControlledMySQLDatabaseManager.php
+++ b/src/Database/TenantDatabaseManagers/PermissionControlledMySQLDatabaseManager.php
@ -53,6 +53,6 @@ class PermissionControlledMySQLDatabaseManager extends MySQLDatabaseManager impl

    public function userExists(string $username): bool
    {
-        return (bool) $this->connection()->select("SELECT count(*) FROM mysql.user WHERE user = '$username'")[0]->{'count(*)'};
+        return (bool) $this->connection()->select("SELECT count(*) FROM mysql.user WHERE user = ?", [$username])[0]->{'count(*)'};
    }
 }
--- a/src/Database/TenantDatabaseManagers/PermissionControlledPostgreSQLSchemaManager.php
+++ b/src/Database/TenantDatabaseManagers/PermissionControlledPostgreSQLSchemaManager.php
@ -27,7 +27,7 @@ class PermissionControlledPostgreSQLSchemaManager extends PostgreSQLSchemaManage
        $this->connection()->statement("GRANT USAGE, CREATE ON SCHEMA \"{$schema}\" TO \"{$username}\"");
        $this->connection()->statement("GRANT USAGE ON ALL SEQUENCES IN SCHEMA \"{$schema}\" TO \"{$username}\"");

-        $tables = $this->connection()->select("SELECT table_name FROM information_schema.tables WHERE table_schema = '{$schema}' AND table_type = 'BASE TABLE'");
+        $tables = $this->connection()->select("SELECT table_name FROM information_schema.tables WHERE table_schema = ? AND table_type = 'BASE TABLE'", [$schema]);

        // Grant permissions to any existing tables. This is used with RLS
        foreach ($tables as $table) {
@ -37,9 +37,9 @@ class PermissionControlledPostgreSQLSchemaManager extends PostgreSQLSchemaManage
            $primaryKey = $this->connection()->selectOne(<<<SQL
                SELECT column_name
                FROM information_schema.key_column_usage
-                WHERE table_name = '{$tableName}'
+                WHERE table_name = ?
                AND constraint_name LIKE '%_pkey'
-            SQL)->column_name;
+            SQL, [$tableName])->column_name;

            // Grant all permissions for all existing tables
            $this->connection()->statement("GRANT ALL ON \"{$schema}\".\"{$tableName}\" TO \"{$username}\"");
--- a/src/Database/TenantDatabaseManagers/PostgreSQLDatabaseManager.php
+++ b/src/Database/TenantDatabaseManagers/PostgreSQLDatabaseManager.php
@ -20,6 +20,6 @@ class PostgreSQLDatabaseManager extends TenantDatabaseManager

    public function databaseExists(string $name): bool
    {
-        return (bool) $this->connection()->select("SELECT datname FROM pg_database WHERE datname = '$name'");
+        return (bool) $this->connection()->select("SELECT datname FROM pg_database WHERE datname = ?", [$name]);
    }
 }
--- a/src/Database/TenantDatabaseManagers/PostgreSQLSchemaManager.php
+++ b/src/Database/TenantDatabaseManagers/PostgreSQLSchemaManager.php
@ -20,7 +20,7 @@ class PostgreSQLSchemaManager extends TenantDatabaseManager

    public function databaseExists(string $name): bool
    {
-        return (bool) $this->connection()->select("SELECT schema_name FROM information_schema.schemata WHERE schema_name = '$name'");
+        return (bool) $this->connection()->select("SELECT schema_name FROM information_schema.schemata WHERE schema_name = ?", [$name]);
    }

    public function makeConnectionConfig(array $baseConfig, string $databaseName): array