Ar - Is Yii Doing Query Parameter Binding When You Use Arrays

If you use query like this:




$query = News::find()->where(['or', 'id=3', 'id=5']); // does not escape



Yii will not do any escaping, which is obvious because of the way parameters are built.

But if you do something like this:




$query = News::find()->where(["id"=>5]);


$query = News::find()->where(['>=', 'id', 5]);


$query = News::find()->where(['and', ['>=', 'id', 3], ['<=', 'id', 5]]);


$query = News::find()->where(['or', ['id'=>3], ['id'=>5]]);



Yii will do automatic escaping, and you can see that in debugger. But what I can not see is: is Yii doing query parameter bindings too ? Debugger do not show that, and it would be nice to know.

Thanks

Yii does escape parameters automatically, since it binds them with PDO, as I understand it.

You bind parameters manually. For example:




\Yii::$app->db->createCommand("SELECT username FROM user WHERE id=:id")->bindValues(['id'=>$id])->queryScalar();



  • something like that.

I don’t want to bind manually, it is waste of time and code since you can easily create automatic binding. I am wandering is Yii doing that or not in examples I provided in first post. You can see in debugger that yii does escaping of dangerous characters with backslashes, but you can not see that binding has been done.

I was reading some Yii core code like Query class, and from what I saw yii will not do query param bining for you, you have to do that manually.

By looking at where() method:




public function where($condition, $params = [])



you can see that where() is expecting manuall binding to be specified in $params parameter. If I am not missing something, this means that if you specify only the $condition, even as an array, yii will not do params binding for you.

Damn :(

Yii always does parameter binding if you are building a query and specifying parameters alone, like shown in your examples.

The debugger message shows a SQL that is obtained by replacing placeholders with parameter values. It is not the SQL executed by Yii directly. Behind the scene, Yii still does parameter binding.

That is fantastic! Thanks :D