Most of the time the queries generated by SQL implicitly use binds, like when you use [font="Courier New"]CDbCriteria::compare()[/font]. However when you call [font="Courier New"]$model->findByPk($pk)[/font] it is not the case.
In the [font="Courier New"]framework/db/schema/CDbCommandBuilder.php[/font] in the [font="Courier New"]createPkCriteria()[/font] function the line 624 simply generates hardcoded string like [font="Courier New"]"id=1"[/font] without any binds.
I’m curious is there any particular reason for that? The [font=“Courier New”]findByPk [/font]calls are something that should happen often in almost any app and in theory should get a speed benefit from parameterization.