Cdbcriteria::$Having - Parameters Escaping?

Hi Everybody,

I have quick question regarding CDbCriteria model.

I need to make simple list of purchases (| total price | list of items |) with filters using CGridView widget.

Part of model’s code is as follows:

$criteria = new CDbCriteria;

$criteria->select = array(


    "SUM(t.amount) AS amount",

    "GROUP_CONCAT(t.description SEPARATOR ', ') AS description",


$criteria->group = 't.payment_id';

And I would like to allow searching by SUM(t.amount), so I added:

$criteria->having = 'amount = ' . (float)$this->amount;

Then I wanted to allow searching by description:

$criteria->having = "description LIKE '%" . $this->description . "%'";    // don't do this at home

Of course above solution is SQL Injection vulnerable, so it cannot be used without escaping parameter first.

My question is - how should I get rid of this issues? Is there any way to escape string "manually"?

Why isn’t there any solution like below?

$havingCriteria = new CDbCriteria();

$havingCriteria->compare('description', $this->description, true);

$criteria->having = $havingCriteria;



$criteria->having = "description LIKE :searchparam";

$criteria->params[':searchparam'] = "%" . $this->description . "%";

Thanks redguy!

I resolved this in different, but less elegant way than you.

$criteria->having = "description LIKE " . Yii::app()->db->quoteValue('%' . $this->description . '%');