PDO if not used in the correct way do not save you from sql injections, the same is for Yii2
The way to avoid sql injection in PDO (and also in any generic db driver) is using prepared statement and placeholder and parameter binding.
What does it means?
Lets say you have a query like
SELECT * form people where last_name’ like “$user_input”
if $user_input is coming form user input it is a weak point for sql injection because the user can insert extra sql commands and they will be executed
prepared statement and placeholder avoid this problem since the query became something like
SELECT * form people where name like :last_name’
and then another function bind the parameter :user_input to the value you passed, during the binding the value is opportunely escaped according to the db sql dialect
How yii2 works.
inserting/updating data via models is safe since $model->last_name’=‘smith’ the value is binded
batch commands are safe for the same reason
the weak part (o better where you should code properly) is during search with user input.
Here is the relevant part in docs: http://www.yiiframew…uilding-queries , check the where section
There are 3 way to add the a where (or filter) condition:
While hash and operator are safe since they use parameter binding, string is not since the raw string is passed to the db.
String should never be used with user input, it is intend to set simple where like record’s flag which value you control directly:
good --> $query->where(‘status=1’);
BAD --> $query->where("status=$status");
Same apply when you use Expression with user input
Use Yii debug console to check the query your code execute and see if they use parameter bindings.