Skip to content

Commit fbffeb8

Browse files
committed
improve docblocks for allowlists
1 parent 13e32dd commit fbffeb8

1 file changed

Lines changed: 4 additions & 9 deletions

File tree

src/Database/Concerns/ValidatesDatabaseParameters.php

Lines changed: 4 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -24,8 +24,8 @@ trait ValidatesDatabaseParameters
2424
* Used as the default allowlist in validateParameter(), which validates non-password
2525
* parameters such as database names or usernames.
2626
*
27-
* Since special characters are not used in non-password parameters commonly,
28-
* we can be more strict about them to prevent SQL injection and other related issues.
27+
* Since non-password parameters don't need to use as many special characters, we use
28+
* a stricter allowlist here.
2929
*/
3030
protected function allowedParameterCharacters(): string
3131
{
@@ -35,13 +35,8 @@ protected function allowedParameterCharacters(): string
3535
/**
3636
* Characters allowed in database user passwords.
3737
*
38-
* Parameters are always quoted in the SQL statements, so it's safe
39-
* to allow a wider range of characters, as long as it doesn't include
40-
* characters that can break out of the quoted SQL strings (so e.g.
41-
* ', ", \, and ` aren't allowed).
42-
*
43-
* The allowlist is less strict for passwords than for other parameters
44-
* because it's more common to use special characters in passwords.
38+
* The allowlist for passwords is less strict than for other parameters
39+
* because it's more common to use more special characters in passwords.
4540
*/
4641
protected function allowedPasswordCharacters(): string
4742
{

0 commit comments

Comments
 (0)