codeigniter4
diff --git a/‎system/BaseModel.php‎
Lines changed: 65 additions & 10 deletions b/‎system/BaseModel.php‎
Lines changed: 65 additions & 10 deletions
diff --git a/‎system/Model.php‎
Lines changed: 9 additions & 4 deletions b/‎system/Model.php‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎tests/system/Models/DeleteModelTest.php‎
Lines changed: 107 additions & 21 deletions b/‎tests/system/Models/DeleteModelTest.php‎
Lines changed: 107 additions & 21 deletions
@@ -780,6 +780,61 @@ public function getInsertID()
         return is_numeric($this->insertID) ? (int) $this->insertID : $this->insertID;
     }
 
+    /**
+     * Validates that the primary key values are valid for update/delete/insert operations.
+     * Throws exception if invalid.
+     *
+     * @param int|list<int|string>|string $id
+     * @param bool                        $allowArray Whether to allow array of IDs (true for update/delete, false for insert)
+     *
+     * @throws InvalidArgumentException
+     */
+    protected function validateID($id, bool $allowArray = true): void
+    {
+        if (is_array($id)) {
+            // Check if arrays are allowed
+            if (! $allowArray) {
+                throw new InvalidArgumentException(
+                    'Invalid primary key: only a single value is allowed, not an array.'
+                );
+            }
+
+            // Check for empty array
+            if ($id === []) {
+                throw new InvalidArgumentException('Invalid primary key: cannot be an empty array.');
+            }
+
+            // Validate each ID in the array recursively
+            foreach ($id as $key => $valueId) {
+                if (is_array($valueId)) {
+                    throw new InvalidArgumentException(
+                        sprintf('Invalid primary key at index %s: nested arrays are not allowed.', $key)
+                    );
+                }
+
+                // Recursive call for each value (single values only in recursion)
+                $this->validateID($valueId, false);
+            }
+
+            return;
+        }
+
+        // Check for invalid single values
+        if (in_array($id, [null, 0, '0', '', true, false], true)) {
+            $type = is_bool($id) ? 'boolean ' . var_export($id, true) : var_export($id, true);
+            throw new InvalidArgumentException(
+                sprintf('Invalid primary key: %s is not allowed.', $type)
+            );
+        }
+
+        // Only allow int and string at this point
+        if (! is_int($id) && ! is_string($id)) {
+            throw new InvalidArgumentException(
+                sprintf('Invalid primary key: must be int or string, %s given.', get_debug_type($id))
+            );
+        }
+    }
+
     /**
      * Inserts data into the database. If an object is provided,
      * it will attempt to convert it to an array.
@@ -969,12 +1024,12 @@ public function insertBatch(?array $set = null, ?bool $escape = null, int $batch
      */
     public function update($id = null, $row = null): bool
     {
-        if (is_bool($id)) {
-            throw new InvalidArgumentException('update(): argument #1 ($id) should not be boolean.');
-        }
+        if ($id !== null) {
+            if (! is_array($id)) {
+              $id = [$id];
+            }
 
-        if (is_numeric($id) || is_string($id)) {
-            $id = [$id];
+            $this->validateID($id);
         }
 
         $row = $this->transformDataToArray($row, 'update');
@@ -1100,12 +1155,12 @@ public function updateBatch(?array $set = null, ?string $index = null, int $batc
      */
     public function delete($id = null, bool $purge = false)
     {
-        if (is_bool($id)) {
-            throw new InvalidArgumentException('delete(): argument #1 ($id) should not be boolean.');
-        }
+        if ($id !== null) {
+            if (! is_array($id)) {
+                $id = [$id];
+            }
 
-        if (! in_array($id, [null, 0, '0'], true) && (is_numeric($id) || is_string($id))) {
-            $id = [$id];
+            $this->validateID($id);
         }
 
         $eventData = [
 
@@ -311,8 +311,13 @@ protected function doInsert(array $row)
 
         // Require non-empty primaryKey when
         // not using auto-increment feature
-        if (! $this->useAutoIncrement && ! isset($row[$this->primaryKey])) {
-            throw DataException::forEmptyPrimaryKey('insert');
+        if (! $this->useAutoIncrement) {
+            if (! isset($row[$this->primaryKey])) {
+                throw DataException::forEmptyPrimaryKey('insert');
+            }
+
+            // Validate the primary key value (arrays not allowed for insert)
+            $this->validateID($row[$this->primaryKey], false);
         }
 
         $builder = $this->builder();
@@ -381,7 +386,7 @@ protected function doUpdate($id = null, $row = null): bool
 
         $builder = $this->builder();
 
-        if (! in_array($id, [null, '', 0, '0', []], true)) {
+        if (is_array($id) && $id !== []) {
             $builder = $builder->whereIn($this->table . '.' . $this->primaryKey, $id);
         }
 
@@ -409,7 +414,7 @@ protected function doDelete($id = null, bool $purge = false)
         $set     = [];
         $builder = $this->builder();
 
-        if (! in_array($id, [null, '', 0, '0', []], true)) {
+        if (is_array($id) && $id !== []) {
             $builder = $builder->whereIn($this->primaryKey, $id);
         }
 
 
@@ -14,6 +14,7 @@
 namespace CodeIgniter\Models;
 
 use CodeIgniter\Database\Exceptions\DatabaseException;
+use CodeIgniter\Exceptions\InvalidArgumentException;
 use CodeIgniter\Exceptions\ModelException;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Group;
@@ -152,29 +153,37 @@ public function testOnlyDeleted(): void
 
     /**
      * Given an explicit empty value in the WHERE condition
-     * When executing a soft delete
+     * When executing a soft delete with where() clause
      * Then an exception should not be thrown
      *
+     * This test uses where() so values go into WHERE clause, not through validateID().
+     *
      * @param int|string|null $emptyValue
      */
-    #[DataProvider('emptyPkValues')]
+    #[DataProvider('emptyPkValuesWithWhereClause')]
     public function testDontThrowExceptionWhenSoftDeleteConditionIsSetWithEmptyValue($emptyValue): void
     {
         $this->createModel(UserModel::class);
         $this->seeInDatabase('user', ['name' => 'Derek Jones', 'deleted_at IS NULL' => null]);
 
         $this->model->where('id', $emptyValue)->delete();
-        $this->seeInDatabase('user', ['name' => 'Derek Jones', 'deleted_at IS NULL' => null]);
+        // Special case: true converted to 1
+        if ($emptyValue === true) {
+            $this->seeInDatabase('user', ['name' => 'Derek Jones', 'deleted_at IS NOT NULL' => null]);
+        } else {
+            $this->seeInDatabase('user', ['name' => 'Derek Jones', 'deleted_at IS NULL' => null]);
+        }
     }
 
     /**
      * @param int|string|null $emptyValue
+     * @param class-string    $exception
      */
     #[DataProvider('emptyPkValues')]
-    public function testThrowExceptionWhenSoftDeleteParamIsEmptyValue($emptyValue): void
+    public function testThrowExceptionWhenSoftDeleteParamIsEmptyValue($emptyValue, string $exception, string $exceptionMessage): void
     {
-        $this->expectException(DatabaseException::class);
-        $this->expectExceptionMessage('Deletes are not allowed unless they contain a "where" or "like" clause.');
+        $this->expectException($exception);
+        $this->expectExceptionMessage($exceptionMessage);
 
         $this->seeInDatabase('user', ['name' => 'Derek Jones', 'deleted_at IS NULL' => null]);
 
@@ -183,16 +192,17 @@ public function testThrowExceptionWhenSoftDeleteParamIsEmptyValue($emptyValue):
 
     /**
      * @param int|string|null $emptyValue
+     * @param class-string    $exception
      */
     #[DataProvider('emptyPkValues')]
-    public function testDontDeleteRowsWhenSoftDeleteParamIsEmpty($emptyValue): void
+    public function testDontDeleteRowsWhenSoftDeleteParamIsEmpty($emptyValue, string $exception, string $exceptionMessage): void
     {
         $this->seeInDatabase('user', ['name' => 'Derek Jones', 'deleted_at IS NULL' => null]);
 
         try {
             $this->createModel(UserModel::class)->delete($emptyValue);
-        } catch (DatabaseException) {
-            // Do nothing.
+        } catch (DatabaseException | InvalidArgumentException) {
+            // Do nothing - both exceptions are expected for different values.
         }
 
         $this->seeInDatabase('user', ['name' => 'Derek Jones', 'deleted_at IS NULL' => null]);
@@ -233,15 +243,13 @@ public function testPurgeDeletedWithSoftDeleteFalse(): void
 
     /**
      * @param int|string|null $id
+     * @param class-string    $exception
      */
     #[DataProvider('emptyPkValues')]
-    public function testDeleteThrowDatabaseExceptionWithoutWhereClause($id): void
+    public function testDeleteThrowDatabaseExceptionWithoutWhereClause($id, string $exception, string $exceptionMessage): void
     {
-        // BaseBuilder throws Exception.
-        $this->expectException(DatabaseException::class);
-        $this->expectExceptionMessage(
-            'Deletes are not allowed unless they contain a "where" or "like" clause.',
-        );
+        $this->expectException($exception);
+        $this->expectExceptionMessage($exceptionMessage);
 
         // $useSoftDeletes = false
         $this->createModel(JobModel::class);
@@ -251,15 +259,13 @@ public function testDeleteThrowDatabaseExceptionWithoutWhereClause($id): void
 
     /**
      * @param int|string|null $id
+     * @param class-string    $exception
      */
     #[DataProvider('emptyPkValues')]
-    public function testDeleteWithSoftDeleteThrowDatabaseExceptionWithoutWhereClause($id): void
+    public function testDeleteWithSoftDeleteThrowDatabaseExceptionWithoutWhereClause($id, string $exception, string $exceptionMessage): void
     {
-        // Model throws Exception.
-        $this->expectException(DatabaseException::class);
-        $this->expectExceptionMessage(
-            'Deletes are not allowed unless they contain a "where" or "like" clause.',
-        );
+        $this->expectException($exception);
+        $this->expectExceptionMessage($exceptionMessage);
 
         // $useSoftDeletes = true
         $this->createModel(UserModel::class);
@@ -268,11 +274,91 @@ public function testDeleteWithSoftDeleteThrowDatabaseExceptionWithoutWhereClause
     }
 
     public static function emptyPkValues(): iterable
+    {
+        return [
+            'null' => [
+                null,
+                DatabaseException::class,
+                'Deletes are not allowed unless they contain a "where" or "like" clause.',
+            ],
+            'false' => [
+                false,
+                InvalidArgumentException::class,
+                'Invalid primary key: boolean false is not allowed.',
+            ],
+            '0 integer' => [
+                0,
+                InvalidArgumentException::class,
+                'Invalid primary key: 0 is not allowed.',
+            ],
+            "'0' string" => [
+                '0',
+                InvalidArgumentException::class,
+                "Invalid primary key: '0' is not allowed.",
+            ],
+            'empty string' => [
+                '',
+                InvalidArgumentException::class,
+                "Invalid primary key: '' is not allowed.",
+            ],
+            'true' => [
+                true,
+                InvalidArgumentException::class,
+                'Invalid primary key: boolean true is not allowed.',
+            ],
+            'empty array' => [
+                [],
+                InvalidArgumentException::class,
+                'Invalid primary key: cannot be an empty array.',
+            ],
+            'nested array' => [
+                [[1, 2]],
+                InvalidArgumentException::class,
+                'Invalid primary key at index 0: nested arrays are not allowed.',
+            ],
+            'array with null' => [
+                [1, null, 3],
+                InvalidArgumentException::class,
+                'Invalid primary key: NULL is not allowed.',
+            ],
+            'array with 0' => [
+                [1, 0, 3],
+                InvalidArgumentException::class,
+                'Invalid primary key: 0 is not allowed.',
+            ],
+            "array with '0'" => [
+                [1, '0', 3],
+                InvalidArgumentException::class,
+                "Invalid primary key: '0' is not allowed.",
+            ],
+            'array with empty string' => [
+                [1, '', 3],
+                InvalidArgumentException::class,
+                "Invalid primary key: '' is not allowed.",
+            ],
+            'array with boolean' => [
+                [1, false, 3],
+                InvalidArgumentException::class,
+                'Invalid primary key: boolean false is not allowed.',
+            ],
+        ];
+    }
+
+    /**
+     * Data provider for tests using where() clause.
+     * These values go into WHERE clause, not through validateID().
+     *
+     * @return iterable<array{bool|int|string|null}>
+     */
+    public static function emptyPkValuesWithWhereClause(): iterable
     {
         return [
             [0],
             [null],
             ['0'],
+            [''],
+            [true],
+            [false],
         ];
     }
 }