@@ -24,8 +24,8 @@ trait ValidatesDatabaseParameters
2424 * Used as the default allowlist in validateParameter(), which validates non-password
2525 * parameters such as database names or usernames.
2626 *
27- * Since special characters are not used in non-password parameters commonly,
28- * we can be more strict about them to prevent SQL injection and other related issues .
27+ * Since non-password parameters don't need to use as many special characters, we use
28+ * a stricter allowlist here .
2929 */
3030 protected function allowedParameterCharacters (): string
3131 {
@@ -35,13 +35,8 @@ protected function allowedParameterCharacters(): string
3535 /**
3636 * Characters allowed in database user passwords.
3737 *
38- * Parameters are always quoted in the SQL statements, so it's safe
39- * to allow a wider range of characters, as long as it doesn't include
40- * characters that can break out of the quoted SQL strings (so e.g.
41- * ', ", \, and ` aren't allowed).
42- *
43- * The allowlist is less strict for passwords than for other parameters
44- * because it's more common to use special characters in passwords.
38+ * The allowlist for passwords is less strict than for other parameters
39+ * because it's more common to use more special characters in passwords.
4540 */
4641 protected function allowedPasswordCharacters (): string
4742 {
0 commit comments