Mysqli_real_escape_string in Yii 2 with DAO or something else?

Question

Mysqli_real_escape_string in Yii 2 with DAO or something else?

I am using Yii 2

and am about to get started with databases for the first time, and I was wondering if there is Yii 2

anything else you should use to prepare data for a database like a standard function mysqli_real_escape_string

or should I just use that?

I am not using prepared statements, I am accessing the database via database access objects and wondering how can I elude the data I am navigating to it?

I found the quoteValue method , but it included what Yii is calling Connection represents a connection to a database via PDO.

, so I wasn't sure if this was the correct method to use?

+3

php yii yii2

Brett 03 dec. '14 at 9:12

source to share

2 answers

Yii2 uses parameter binding, so pass any user input as a parameter, not directly into SQL via concatenation.

$query->where('status=:status', [':status' => $status]);
//or
$query->where('status=:status');
$query->addParams([':status' => $status]);
//or
$query->where(['status' => 10]);

Ref http://www.yiiframework.com/doc-2.0/guide-db-query-builder.html#where

+1

Alex 03 dec. '14 at 9:49

source to share

soju · Accepted Answer · 2014-12-03T15:01:10+0000

As you said, you must use quoteValue

.

If your component name is dao db

, you should just try:

$quoteValue = \Yii::$app->db->quoteValue($value);

Mysqli_real_escape_string in Yii 2 with DAO or something else?

More articles: