Ar - Is Yii Doing Query Parameter Binding When You Use Arrays

shoneZ89 · September 4, 2014, 7:00pm

If you use query like this:




$query = News::find()->where(['or', 'id=3', 'id=5']); // does not escape

Yii will not do any escaping, which is obvious because of the way parameters are built.

But if you do something like this:




$query = News::find()->where(["id"=>5]);


$query = News::find()->where(['>=', 'id', 5]);


$query = News::find()->where(['and', ['>=', 'id', 3], ['<=', 'id', 5]]);


$query = News::find()->where(['or', ['id'=>3], ['id'=>5]]);

Yii will do automatic escaping, and you can see that in debugger. But what I can not see is: is Yii doing query parameter bindings too ? Debugger do not show that, and it would be nice to know.

Thanks

tebazil · September 5, 2014, 6:51am

Yii does escape parameters automatically, since it binds them with PDO, as I understand it.

You bind parameters manually. For example:




\Yii::$app->db->createCommand("SELECT username FROM user WHERE id=:id")->bindValues(['id'=>$id])->queryScalar();

something like that.

shoneZ89 · September 5, 2014, 1:13pm

tebazil:

Yii does escape parameters automatically, since it binds them with PDO, as I understand it.

You bind parameters manually. For example:
\Yii::$app->db->createCommand("SELECT username FROM user WHERE id=:id")->bindValues(['id'=>$id])->queryScalar();
something like that.

I don’t want to bind manually, it is waste of time and code since you can easily create automatic binding. I am wandering is Yii doing that or not in examples I provided in first post. You can see in debugger that yii does escaping of dangerous characters with backslashes, but you can not see that binding has been done.

shoneZ89 · September 6, 2014, 2:16pm

I was reading some Yii core code like Query class, and from what I saw yii will not do query param bining for you, you have to do that manually.

By looking at where() method:




public function where($condition, $params = [])

you can see that where() is expecting manuall binding to be specified in $params parameter. If I am not missing something, this means that if you specify only the $condition, even as an array, yii will not do params binding for you.

Damn

qiang · September 8, 2014, 1:43pm

Yii always does parameter binding if you are building a query and specifying parameters alone, like shown in your examples.

The debugger message shows a SQL that is obtained by replacing placeholders with parameter values. It is not the SQL executed by Yii directly. Behind the scene, Yii still does parameter binding.

shoneZ89 · September 9, 2014, 12:40pm

That is fantastic! Thanks