fix(qa): replace string concatenation with parameterized SQL queries in PROJ-16 cleanup script

[Copilot]

Purpose

• Security hardening
• Documentation update
• Bug fix
• New feature
• Refactor/maintenance
• Other (explain below)

Related Features / Issues

• PROJ: PROJ-16
• Issue: Addresses review feedback on chore(qa): add PROJ-16 testdata cleanup script #12

Overview of Changes

Eliminated SQL injection risk in script/qa/cleanup-proj16-testdata.php by replacing direct string concatenation with parameterized query placeholders:

Before:

$idList = implode(',', $userIds);
User::destroyAll("id IN ($idList)");  // Vulnerable to injection

After:

User::destroyAll('id IN (?)', $userIds);  // Array bound to placeholder

All where() and destroyAll() calls now use IN (?) placeholders with bound array values, consistent with framework patterns in Advertisement.php:50, PostSet.php:192.

QA / Verification

• composer run ci:lint: Pass
• composer run test: Pass
• composer run analyse: Pass
• composer run cs-check: Pass
• Manual checks: Dry-run execution confirms query parameter binding behavior

Deployment Impact

• No deploy impact
• Requires deploy runbook update
• Requires environment/config changes
• Requires migration
• Rollback notes: N/A (script only, no schema/runtime changes)

Reviewer Focus

• Verify all destroyAll and where calls use placeholder syntax (IN (?)) with bound parameters
• Confirm no direct variable interpolation remains in SQL conditions

Checklist

• Scope matches linked PROJ / issue
• No secrets or credentials committed
• Docs updated where needed
• Backward compatibility considered
• Ready to merge

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Wachhund]

nothing new.