Is there a Yii way of sanitizing a large sql string built using a for/while loop?
The example below shows an sql string generated from a csv file
$startSql = "INSERT INTO mytable (column1, column2, column3) VALUES";
if (($handle = fopen('data.csv', "r")) !== false) {
while (($data = fgetcsv($handle, 1000, ",")) !== false) {
//build each value statement with no sanitization!
$insertArray[]="('$data[0]','$data[1]','$data[2]')";
}
fclose($handle);
}
$sql=implode(",",$insertArray);
$commitSql=$startSql.$sql;
Yii::app()->db->createCommand($commitSql)->execute();
I know that bindParam and bindValue cannot be used in this instance. Is there a better way to construct such a query that can make use of Yii’s paramater binding or do I need to use addslashes etc…