Suggestion For Security


I need to create a custom sql string due because I need to split phrases into words(via explode function) and use LIKE-OR for each words.

the query is something like this:

$query = "the select statement";

$where = "the where statement";

if (!empty(table->field) $where .= 'where statement';

if (!empty(table->field1) $where .= 'additional where statement';

return $query.$where;

Are there some available Yii functions for pure string queries or do I have to use third party functions for sql injection?


use sql params. then you do not have to escape anything:

$command = Yii::app()->db->createCommand( 'SELECT custom.fields FROM xxx WHERE xxx.field = :param1 AND xxx.field2 LIKE :param2' );

$result = $command->query( array( ':param1'=>'aaaaa', ':param2'=>'%' . $_GET['xxx'] . '%' ) );

Thanks! Didn’t thought of that.

And if you really need quoting for some reason, there are functions id CDbConnection object:

$db = Yii::app()->db;

$val = $db->quoteValue( 'value' );

$table = $db->quoteTableName( 'table_name' );

$col = $db->quoteColumnName( 'column' );