From 698cbd9681c382f05d9cf661a13cb63fbf0fc321 Mon Sep 17 00:00:00 2001
From: mscherer <dereuromark@web.de>
Date: Mon, 19 Jan 2026 18:24:42 +0100
Subject: [PATCH] Improve SQL quoting and fix docblock issues

- Fix SQL Server sp_rename to use quoteString() for proper escaping
- Fix foreign key column quoting in PostgreSQL and SQL Server adapters
  to use quoteColumnName() instead of hard-coded quotes
- Fix MigrationHelper::tableStatement() to escape table names
- Fix @params typos in BaseMigration docblocks (should be @param)
- Fix copy-paste docblock errors in test seed files
---
 src/BaseMigration.php                         |  4 +-
 src/Db/Adapter/PostgresAdapter.php            |  7 ++--
 src/Db/Adapter/SqlserverAdapter.php           | 38 +++++++++----------
 src/View/Helper/MigrationHelper.php           |  2 +-
 .../config/AltSeeds/AnotherNumbersSeed.php    |  2 +-
 .../config/AltSeeds/NumbersAltSeed.php        |  2 +-
 .../config/BaseSeeds/MigrationSeedNumbers.php |  2 +-
 .../config/CallSeeds/DatabaseSeed.php         |  2 +-
 .../test_app/config/CallSeeds/LettersSeed.php |  2 +-
 .../config/CallSeeds/NumbersCallSeed.php      |  2 +-
 tests/test_app/config/Seeds/StoresSeed.php    |  2 +-
 11 files changed, 33 insertions(+), 32 deletions(-)

diff --git a/src/BaseMigration.php b/src/BaseMigration.php
index b5df6c622..2969933aa 100644
--- a/src/BaseMigration.php
+++ b/src/BaseMigration.php
@@ -431,7 +431,7 @@ public function table(string $tableName, array $options = []): Table
     /**
      * Create a new ForeignKey object.
      *
-     * @params string|string[] $columns Columns
+     * @param string|string[] $columns Columns
      * @return \Migrations\Db\Table\ForeignKey
      */
     public function foreignKey(string|array $columns): ForeignKey
@@ -442,7 +442,7 @@ public function foreignKey(string|array $columns): ForeignKey
     /**
      * Create a new Index object.
      *
-     * @params string|string[] $columns Columns
+     * @param string|string[] $columns Columns
      * @return \Migrations\Db\Table\Index
      */
     public function index(string|array $columns): Index
diff --git a/src/Db/Adapter/PostgresAdapter.php b/src/Db/Adapter/PostgresAdapter.php
index 8720b9c59..8355f8b69 100644
--- a/src/Db/Adapter/PostgresAdapter.php
+++ b/src/Db/Adapter/PostgresAdapter.php
@@ -944,10 +944,11 @@ protected function getForeignKeySqlDefinition(ForeignKey $foreignKey, string $ta
         $constraintName = $foreignKey->getName() ?: (
             $parts['table'] . '_' . implode('_', $foreignKey->getColumns()) . '_fkey'
         );
+        $columnList = implode(', ', array_map($this->quoteColumnName(...), $foreignKey->getColumns()));
+        $refColumnList = implode(', ', array_map($this->quoteColumnName(...), $foreignKey->getReferencedColumns()));
         $def = ' CONSTRAINT ' . $this->quoteColumnName($constraintName) .
-        ' FOREIGN KEY ("' . implode('", "', $foreignKey->getColumns()) . '")' .
-        " REFERENCES {$this->quoteTableName($foreignKey->getReferencedTable())} (\"" .
-        implode('", "', $foreignKey->getReferencedColumns()) . '")';
+        ' FOREIGN KEY (' . $columnList . ')' .
+        ' REFERENCES ' . $this->quoteTableName($foreignKey->getReferencedTable()) . ' (' . $refColumnList . ')';
         if ($foreignKey->getOnDelete()) {
             $def .= " ON DELETE {$foreignKey->getOnDelete()}";
         }
diff --git a/src/Db/Adapter/SqlserverAdapter.php b/src/Db/Adapter/SqlserverAdapter.php
index 14602abc8..8f1812a83 100644
--- a/src/Db/Adapter/SqlserverAdapter.php
+++ b/src/Db/Adapter/SqlserverAdapter.php
@@ -236,9 +236,9 @@ protected function getRenameTableInstructions(string $tableName, string $newTabl
     {
         $this->updateCreatedTableName($tableName, $newTableName);
         $sql = sprintf(
-            "EXEC sp_rename '%s', '%s'",
-            $tableName,
-            $newTableName,
+            'EXEC sp_rename %s, %s',
+            $this->quoteString($tableName),
+            $this->quoteString($newTableName),
         );
 
         return new AlterInstructions([], [$sql]);
@@ -377,23 +377,21 @@ protected function getRenameColumnInstructions(string $tableName, string $column
 
         $oldConstraintName = "DF_{$tableName}_{$columnName}";
         $newConstraintName = "DF_{$tableName}_{$newColumnName}";
-        $sql = <<<SQL
-IF (OBJECT_ID('$oldConstraintName', 'D') IS NOT NULL)
+        $sql = sprintf(
+            'IF (OBJECT_ID(%s, \'D\') IS NOT NULL)
 BEGIN
-     EXECUTE sp_rename N'%s', N'%s', N'OBJECT'
-END
-SQL;
-        $instructions->addPostStep(sprintf(
-            $sql,
-            $oldConstraintName,
-            $newConstraintName,
-        ));
+     EXECUTE sp_rename %s, %s, N\'OBJECT\'
+END',
+            $this->quoteString($oldConstraintName),
+            $this->quoteString($oldConstraintName),
+            $this->quoteString($newConstraintName),
+        );
+        $instructions->addPostStep($sql);
 
         $instructions->addPostStep(sprintf(
-            "EXECUTE sp_rename N'%s.%s', N'%s', 'COLUMN' ",
-            $tableName,
-            $columnName,
-            $newColumnName,
+            'EXECUTE sp_rename %s, %s, N\'COLUMN\'',
+            $this->quoteString($tableName . '.' . $columnName),
+            $this->quoteString($newColumnName),
         ));
 
         return $instructions;
@@ -858,10 +856,12 @@ protected function getIndexSqlDefinition(Index $index, string $tableName): strin
     protected function getForeignKeySqlDefinition(ForeignKey $foreignKey, string $tableName): string
     {
         $constraintName = $foreignKey->getName() ?: $tableName . '_' . implode('_', $foreignKey->getColumns());
+        $columnList = implode(', ', array_map($this->quoteColumnName(...), $foreignKey->getColumns()));
+        $refColumnList = implode(', ', array_map($this->quoteColumnName(...), $foreignKey->getReferencedColumns()));
 
         $def = ' CONSTRAINT ' . $this->quoteColumnName($constraintName);
-        $def .= ' FOREIGN KEY ("' . implode('", "', $foreignKey->getColumns()) . '")';
-        $def .= " REFERENCES {$this->quoteTableName($foreignKey->getReferencedTable())} (\"" . implode('", "', $foreignKey->getReferencedColumns()) . '")';
+        $def .= ' FOREIGN KEY (' . $columnList . ')';
+        $def .= ' REFERENCES ' . $this->quoteTableName($foreignKey->getReferencedTable()) . ' (' . $refColumnList . ')';
         if ($foreignKey->getOnDelete()) {
             $def .= " ON DELETE {$foreignKey->getOnDelete()}";
         }
diff --git a/src/View/Helper/MigrationHelper.php b/src/View/Helper/MigrationHelper.php
index cb171ed48..3302e7e5c 100644
--- a/src/View/Helper/MigrationHelper.php
+++ b/src/View/Helper/MigrationHelper.php
@@ -625,7 +625,7 @@ public function tableStatement(string $table, bool $reset = false): string
         if (!isset($this->tableStatementStatus[$table])) {
             $this->tableStatementStatus[$table] = true;
 
-            return '$this->table(\'' . $table . '\')';
+            return '$this->table(\'' . addslashes($table) . '\')';
         }
 
         return '';
diff --git a/tests/test_app/config/AltSeeds/AnotherNumbersSeed.php b/tests/test_app/config/AltSeeds/AnotherNumbersSeed.php
index f72c0a34d..efa478b60 100644
--- a/tests/test_app/config/AltSeeds/AnotherNumbersSeed.php
+++ b/tests/test_app/config/AltSeeds/AnotherNumbersSeed.php
@@ -3,7 +3,7 @@
 use Migrations\BaseSeed;
 
 /**
- * NumbersSeed seed.
+ * AnotherNumbersSeed seed.
  */
 class AnotherNumbersSeed extends BaseSeed
 {
diff --git a/tests/test_app/config/AltSeeds/NumbersAltSeed.php b/tests/test_app/config/AltSeeds/NumbersAltSeed.php
index 4c9e3c6da..1455134eb 100644
--- a/tests/test_app/config/AltSeeds/NumbersAltSeed.php
+++ b/tests/test_app/config/AltSeeds/NumbersAltSeed.php
@@ -3,7 +3,7 @@
 use Migrations\BaseSeed;
 
 /**
- * NumbersSeed seed.
+ * NumbersAltSeed seed.
  */
 class NumbersAltSeed extends BaseSeed
 {
diff --git a/tests/test_app/config/BaseSeeds/MigrationSeedNumbers.php b/tests/test_app/config/BaseSeeds/MigrationSeedNumbers.php
index d12df2697..5558fb593 100644
--- a/tests/test_app/config/BaseSeeds/MigrationSeedNumbers.php
+++ b/tests/test_app/config/BaseSeeds/MigrationSeedNumbers.php
@@ -3,7 +3,7 @@
 use Migrations\BaseSeed;
 
 /**
- * NumbersSeed seed.
+ * MigrationSeedNumbers seed.
  */
 class MigrationSeedNumbers extends BaseSeed
 {
diff --git a/tests/test_app/config/CallSeeds/DatabaseSeed.php b/tests/test_app/config/CallSeeds/DatabaseSeed.php
index 90954c90d..e8e69f01d 100644
--- a/tests/test_app/config/CallSeeds/DatabaseSeed.php
+++ b/tests/test_app/config/CallSeeds/DatabaseSeed.php
@@ -3,7 +3,7 @@
 use Migrations\BaseSeed;
 
 /**
- * NumbersSeed seed.
+ * DatabaseSeed seed.
  */
 class DatabaseSeed extends BaseSeed
 {
diff --git a/tests/test_app/config/CallSeeds/LettersSeed.php b/tests/test_app/config/CallSeeds/LettersSeed.php
index 300d6688c..a2591b6ff 100644
--- a/tests/test_app/config/CallSeeds/LettersSeed.php
+++ b/tests/test_app/config/CallSeeds/LettersSeed.php
@@ -3,7 +3,7 @@
 use Migrations\BaseSeed;
 
 /**
- * NumbersSeed seed.
+ * LettersSeed seed.
  */
 class LettersSeed extends BaseSeed
 {
diff --git a/tests/test_app/config/CallSeeds/NumbersCallSeed.php b/tests/test_app/config/CallSeeds/NumbersCallSeed.php
index a6843abb3..24f56bde2 100644
--- a/tests/test_app/config/CallSeeds/NumbersCallSeed.php
+++ b/tests/test_app/config/CallSeeds/NumbersCallSeed.php
@@ -3,7 +3,7 @@
 use Migrations\BaseSeed;
 
 /**
- * NumbersSeed seed.
+ * NumbersCallSeed seed.
  */
 class NumbersCallSeed extends BaseSeed
 {
diff --git a/tests/test_app/config/Seeds/StoresSeed.php b/tests/test_app/config/Seeds/StoresSeed.php
index 961bd42e1..e9ac51751 100644
--- a/tests/test_app/config/Seeds/StoresSeed.php
+++ b/tests/test_app/config/Seeds/StoresSeed.php
@@ -5,7 +5,7 @@
 use Migrations\BaseSeed;
 
 /**
- * NumbersSeed seed.
+ * StoresSeed seed.
  */
 class StoresSeed extends BaseSeed
 {