Criteria compare security

I am taking id to my action action1my as action1my($id)

Then I am running a CDBcriteria like


		$criteria->compare('id',  $id, false, 'AND');


Is this okay or does it need some validation?

It’s OK since PDO prepared statement is used in this case and no classical SQL injection is possible.

actually that s not true. the cdbcriteria compare does not prevent sql injection.

and how is that possible? as far as I know - compare function uses named parameters in sql query which prevents from doing sql injection… could you provide some example of how you can inject something in such scenario?