To prevent from SQL injection does we require to use bindparams for $command->insert statement?
OR Yii $command->insert taking care of SQL injection.
$product_data = array("product_id" => $product_id,
"product_comment" => $comment,
"product_created_by" => Yii::app()->session->get('user_id'),
"product_created_on" => date('Y-m-d H:i:s'));
$command->insert('products', $product_data)
Cheers 
insert() method
Creates and executes an INSERT SQL statement. The method will properly escape the column names, and bind the values to be inserted.
http://www.yiiframework.com/doc/api/1.1/CDbCommand#insert-detail
1 Like
Keith
(Kburton)
3
As mention in the docs:
So yes, the parameters that you pass in will be bound, which will prevent SQL injection.
EDIT: Ninja’d 
softark
(Softark)
4
Completely OT, but I wonder what “Ninja’d” means??? (I’m from the country of Ninja …)
Keith
(Kburton)
5
Urban dictionary to the rescue!
It basically refers to someone sneaking in before you and pre-empting your post.