SQL injection
A SQL injection exploit can modify a database data. Please, always validate all input on the server. The following examples shows how to build parameterized queries:
Example #1:
$user = Yii::$app->db->createCommand('SELECT * FROM user WHERE id = :id')
->bindValue(':id', 123, PDO::PARAM_INT)
->queryOne();
Example #2:
$params = [':id' => 123];
$user = Yii::$app->db->createCommand('SELECT * FROM user WHERE id = :id')
->bindValues($params)
->queryOne();
$user = Yii::$app->db->createCommand('SELECT * FROM user WHERE id = :id', $params)
->queryOne();
Example #3:
$command = Yii::$app->db->createCommand('SELECT * FROM user WHERE id = :id');
$user = $command->bindValue(':id', 123)->queryOne();
Example #4: Wrong: don't do this!
// Wrong: don't do this!
$user = Yii::$app->db->createCommand('SELECT * FROM user WHERE id = ' . $_GET['id'])->queryOne();