Sql Injection For Insert Query

To prevent from SQL injection does we require to use bindparams for $command->insert statement?

OR Yii $command->insert taking care of SQL injection.

$product_data = array("product_id" => $product_id,

                "product_comment" => $comment,

                "product_created_by" => Yii::app()->session->get('user_id'),

                "product_created_on" => date('Y-m-d H:i:s'));


$command->insert('products', $product_data)

Cheers :)

insert() method

Creates and executes an INSERT SQL statement. The method will properly escape the column names, and bind the values to be inserted.


1 Like

As mention in the docs:

So yes, the parameters that you pass in will be bound, which will prevent SQL injection.

EDIT: Ninja’d :D

Completely OT, but I wonder what “Ninja’d” means??? (I’m from the country of Ninja …)

Urban dictionary to the rescue!

It basically refers to someone sneaking in before you and pre-empting your post.

Thanks, I got it. :)