Yii will do automatic escaping, and you can see that in debugger. But what I can not see is: is Yii doing query parameter bindings too ? Debugger do not show that, and it would be nice to know.
I don’t want to bind manually, it is waste of time and code since you can easily create automatic binding. I am wandering is Yii doing that or not in examples I provided in first post. You can see in debugger that yii does escaping of dangerous characters with backslashes, but you can not see that binding has been done.
I was reading some Yii core code like Query class, and from what I saw yii will not do query param bining for you, you have to do that manually.
By looking at where() method:
public function where($condition, $params = [])
you can see that where() is expecting manuall binding to be specified in $params parameter. If I am not missing something, this means that if you specify only the $condition, even as an array, yii will not do params binding for you.
Yii always does parameter binding if you are building a query and specifying parameters alone, like shown in your examples.
The debugger message shows a SQL that is obtained by replacing placeholders with parameter values. It is not the SQL executed by Yii directly. Behind the scene, Yii still does parameter binding.