findByPk() doesn't bind parameter

I noticed that (at least with the SQLite driver), queries generated by CActiveRecord::findByPk() aren’t prepared with a bound parameter. Since a primary key is typically something that is passed to an app via the query string, doing something like this will be potentially vulnerable to SQL injections:


I think it would be a good idea to use parameter binding here in order to avoid this problem.