From db03997339b0f45b4348b4aba75435567bcd3eb6 Mon Sep 17 00:00:00 2001
From: lukinovec <lukinovec@gmail.com>
Date: Wed, 29 Apr 2026 16:01:49 +0200
Subject: [PATCH] Validate SQLite DB names in create/deleteDatabase()

Also stop skipping the validation test for sqlite.
---
 .../TenantDatabaseManagers/SQLiteDatabaseManager.php | 12 ++++++++++++
 tests/TenantDatabaseManagerTest.php                  |  5 +----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/Database/TenantDatabaseManagers/SQLiteDatabaseManager.php b/src/Database/TenantDatabaseManagers/SQLiteDatabaseManager.php
index 295cf304..e4e6ab76 100644
--- a/src/Database/TenantDatabaseManagers/SQLiteDatabaseManager.php
+++ b/src/Database/TenantDatabaseManagers/SQLiteDatabaseManager.php
@@ -7,12 +7,15 @@ namespace Stancl\Tenancy\Database\TenantDatabaseManagers;
 use Closure;
 use Illuminate\Database\Eloquent\Model;
 use PDO;
+use Stancl\Tenancy\Database\Concerns\ValidatesSqlParameters;
 use Stancl\Tenancy\Database\Contracts\TenantDatabaseManager;
 use Stancl\Tenancy\Database\Contracts\TenantWithDatabase;
 use Throwable;
 
 class SQLiteDatabaseManager implements TenantDatabaseManager
 {
+    use ValidatesSqlParameters;
+
     /**
      * SQLite database directory path.
      *
@@ -57,6 +60,11 @@ class SQLiteDatabaseManager implements TenantDatabaseManager
      */
     public static Closure|null $closeInMemoryConnectionUsing = null;
 
+    protected static function parameterAllowlist(): string
+    {
+        return 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-.';
+    }
+
     public function createDatabase(TenantWithDatabase $tenant): bool
     {
         /** @var TenantWithDatabase&Model $tenant */
@@ -84,6 +92,8 @@ class SQLiteDatabaseManager implements TenantDatabaseManager
             return true;
         }
 
+        $this->validateParameter($name);
+
         return file_put_contents($this->getPath($name), '') !== false;
     }
 
@@ -99,6 +109,8 @@ class SQLiteDatabaseManager implements TenantDatabaseManager
             return true;
         }
 
+        $this->validateParameter($name);
+
         $path = $this->getPath($name);
 
         try {
diff --git a/tests/TenantDatabaseManagerTest.php b/tests/TenantDatabaseManagerTest.php
index 9c5ff41a..14789a82 100644
--- a/tests/TenantDatabaseManagerTest.php
+++ b/tests/TenantDatabaseManagerTest.php
@@ -541,10 +541,7 @@ test('partial tenant connection templates get merged into the central connection
 });
 
 test('database managers validate sql parameters before using them in statements', function ($driver, $databaseManager) {
-    // todo@validation passwords. also sqlite?
-    if ($driver === 'sqlite') {
-        $this->markTestSkipped('SQLiteDatabaseManager does not use SQL statements.');
-    }
+    // todo@validation passwords
 
     config()->set([
         "tenancy.database.template_tenant_connection" => $driver,