?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{|}~'; } /** * Ensure that parameters (database names, usernames, etc.) * only contain allowed characters before used in SQL statements * (or file names in the case of SQLiteDatabaseManager). * * By default, only the characters in static::parameterAllowlist() are allowed. * * @throws InvalidArgumentException */ protected function validateParameter(string|array|null $parameters, string|null $allowlist = null): string|array|null { if (is_null($parameters)) { // Return null if there's nothing to validate // (e.g. when $databaseConfig->getUsername() of an // improperly created tenant is passed). return null; } $allowlist = $allowlist ?? static::parameterAllowlist(); foreach ((array) $parameters as $parameter) { foreach (str_split($parameter) as $char) { if (! str_contains($allowlist, $char)) { throw new InvalidArgumentException("Invalid character '{$char}' in parameter: {$parameter}"); } } } return $parameters; } /** * Ensure password only contains allowed characters before used in SQL statements. * * Used as a shorthand for calling validateParameter() with the less strict allowlist. * * @throws InvalidArgumentException */ protected function validatePassword(string|null $password): string|null { return $this->validateParameter($password, static::passwordAllowlist()); } }