Is this secure code?

Hello.

Can you comment, please, is this secure code?

$userid=Yii::app()->user->id;

$sqlCommand = "SELECT mail FROM user WHERE id = ".$userid." ";

$this = Yii::app()->db->createCommand($sqlCommand)->queryScalar();

Or I can more secure connect to DB directly?

What do you mean with "connect to DB directly"?

No, it’s not…
Please use bindValue()

https://www.yiiframework.com/doc/api/2.0/yii-db-command#bindValue()-detail