hi
i want to update some products via Product::updateAll, but i cant give my new values via parameter. i worry about security issues like sql injection etc etc
Product::updateAll(['title' => 'new title'], 'id IN ( 1,2,3)');
what should i do?
thanks in advance.
Have you tried the 3rd parameter?
updateAll doc
how? like this:
Product::updateAll(['title' => ':title'], 'id IN ( 1,2,3)', [':title' => 'new title']);
It didn’t work 
Finally I had to use following 
:
Yii::$app->db->createCommand
This should work:
Product::updateAll(['title' => 'new title'], ['id' => [1, 2, 3]]);
or if you want to bound parameter:
Product::updateAll(['title' => ':newtitle'], ['id' => [1, 2, 3]], [':newtitle' => 'new title']);
thx, i will test it
btw how do i know if model->findOne(id) does care about sql injection or not? what about queries with IN(x,y,z) clauses?
thanks
didnt work, actually parameters only work if they are use in where section.
You can do it like the following:
$title = 'This is the new title';
Product::updateAll(
['title' => new yii\db\expression(':newtitle')],
['id' => [1, 2, 3]],
[':newtitle' => $title]
);
You have to say that ‘:newtilte’ is an expression, otherwise it will be treated as a string literal.
But, in order to avoid sql injection, you may simply do it like this:
$title = 'This is the new title';
Product::updateAll(
['title' => $title],
['id' => [1, 2, 3]]
);
Yii will automatically use the parameter-binding approach for ‘title’ and $title.
You can check the source code of yii\db\QueryBuilder\update()