Add parameter validation to DB managers

DB manager methods validate the parameters they use in SQL statements using validateParameter() (excluding parameters passed via bindings in SELECT statements).

src/Database/TenantDatabaseManagers/TenantDatabaseManager.php

@@ -6,11 +6,15 @@ namespace Stancl\Tenancy\Database\TenantDatabaseManagers;
 
 use Illuminate\Database\Connection;
 use Illuminate\Support\Facades\DB;
+use InvalidArgumentException;
 use Stancl\Tenancy\Database\Contracts\StatefulTenantDatabaseManager;
 use Stancl\Tenancy\Database\Exceptions\NoConnectionSetException;
 
 abstract class TenantDatabaseManager implements StatefulTenantDatabaseManager
 {
+    /** Characters allowed in SQL identifiers (database names, usernames, schema names, etc.). */
+    public static string $allowlist = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-';
+
     /** The database connection to the server. */
     protected string $connection;
 
@@ -34,4 +38,23 @@ abstract class TenantDatabaseManager implements StatefulTenantDatabaseManager
 
         return $baseConfig;
     }
+
+    /**
+     * Validate that parameters (database names, usernames, etc.)
+     * contain only allowed characters before used in SQL statements.
+     *
+     * @throws InvalidArgumentException
+     */
+    protected function validateParameter(string|array $parameters): string|array
+    {
+        foreach ((array) $parameters as $parameter) {
+            foreach (str_split($parameter) as $char) {
+                if (! str_contains(static::$allowlist, $char)) {
+                    throw new InvalidArgumentException("Invalid character '{$char}' in SQL parameter: {$parameter}");
+                }
+            }
+        }
+
+        return $parameters;
+    }
 }