Not an expert in SQL injection but maybe? Since your allowing the outside world to not only pass in values (which parameter binding should take care of), but your also accepting data to define what keys/columns to search for. I don’t think think the DB Command class would escape the condition string parameter, though I may be wrong.
What are you trying to build? Does it have to be as dynamic as what you are creating here?
Thanks for the reply. I opted to go away from using the command and to using a criteria. I’ve changed the code to this, and it’s working as expected. I’d still like advice on if it’s vulnerable to injection, or if Yii somehow will sanitize the conditions.