yii2 active record bind parameter

yiqiang · October 8, 2014, 8:52am

I am confused about yii2 active record.

If i am not wrong, i think the php PDO binding param will auto escape the input before query the database.

My quesiton based on yii2 active record such as queries below

$customers = Customer::find()

-&gt;where(['status' =&gt; &#036;status)


-&gt;orderBy('id')


-&gt;all();

will auto escape $status? or if not how can i bind param for this kind of query. Please also give an example on the create query.

Thanks.

vundicind · October 8, 2014, 10:01am

You can check it by yourself :




$query = Customer::find()

->where(['status' => $status])

->orderBy('id');

$command = $query->createCommand();

echo $command->rawSql;

yiqiang · October 9, 2014, 2:44am

strange using your quote, i get an error "Call to a member function createCommand() on a non-object"

zelenin · October 9, 2014, 7:10am

You should read documentation, then write your questions

github.com

yiisoft/yii2/blob/master/docs/guide/db-query-builder.md#where

Query Builder
=============

Built on top of [Database Access Objects](db-dao.md), query builder allows you to construct a SQL query
in a programmatic and DBMS-agnostic way. Compared to writing raw SQL statements, using query builder will help you write 
more readable SQL-related code and generate more secure SQL statements.  

Using query builder usually involves two steps:

1. Build a [[yii\db\Query]] object to represent different parts (e.g. `SELECT`, `FROM`) of a SELECT SQL statement.
2. Execute a query method (e.g. `all()`) of [[yii\db\Query]] to retrieve data from the database.

The following code shows a typical way of using query builder:

```php
$rows = (new \yii\db\Query())
    ->select(['id', 'email'])
    ->from('user')
    ->where(['last_name' => 'Smith'])
    ->limit(10)

This file has been truncated. show original

github.com

yiisoft/yii2/blob/master/docs/guide/db-active-record.md#working-with-relational-data

Active Record
=============

[Active Record](http://en.wikipedia.org/wiki/Active_record_pattern) provides an object-oriented interface
for accessing and manipulating data stored in databases. An Active Record class is associated with a database table,
an Active Record instance corresponds to a row of that table, and an *attribute* of an Active Record
instance represents the value of a particular column in that row. Instead of writing raw SQL statements,
you would access Active Record attributes and call Active Record methods to access and manipulate the data stored 
in database tables.

For example, assume `Customer` is an Active Record class which is associated with the `customer` table
and `name` is a column of the `customer` table. You can write the following code to insert a new
row into the `customer` table:

```php
$customer = new Customer();
$customer->name = 'Qiang';
$customer->save();
```

This file has been truncated. show original

there are examples with params binding.

shoneZ89 · October 9, 2014, 6:02pm

I’ve made post with similar question, and answer is : yii will auto escape and bind.

You can read about it here.

omeraslam · December 22, 2018, 9:38am

which link ? you never posted the link