Model::updateAll() security issue


i want to update some products via Product::updateAll, but i cant give my new values via parameter. i worry about security issues like sql injection etc etc

Product::updateAll(['title' => 'new title'], 'id IN ( 1,2,3)');

what should i do?

thanks in advance.

Have you tried the 3rd parameter?

updateAll doc

how? like this:

Product::updateAll(['title' => ':title'], 'id IN ( 1,2,3)', [':title' => 'new title']);

It didn’t work :(

Finally I had to use following :angry: :


This should work:

Product::updateAll(['title' => 'new title'], ['id' => [1, 2, 3]]);

or if you want to bound parameter:

Product::updateAll(['title' => ':newtitle'], ['id' => [1, 2, 3]], [':newtitle' => 'new title']);

thx, i will test it

btw how do i know if model->findOne(id) does care about sql injection or not? what about queries with IN(x,y,z) clauses?


didnt work, actually parameters only work if they are use in where section.

You can do it like the following:

$title = 'This is the new title';


    ['title' => new yii\db\expression(':newtitle')],

    ['id' => [1, 2, 3]],

    [':newtitle' => $title]


You have to say that ‘:newtilte’ is an expression, otherwise it will be treated as a string literal.

But, in order to avoid sql injection, you may simply do it like this:

$title = 'This is the new title';


    ['title' => $title],

    ['id' => [1, 2, 3]]


Yii will automatically use the parameter-binding approach for ‘title’ and $title.

You can check the source code of yii\db\QueryBuilder\update()