Can not bind parameter to CDbCommand

Question

say, i am going to follow the good practice of avoiding sql injection. so this is not good:

      $query="SELECT id,tag  FROM tbl_tags WHERE tag LIKE '%".$tag."%' ORDER BY creation_time DESC LIMIT 0,10 ";

in stead i have to use parameter binding:

     $query="SELECT id,tag  FROM tbl_tags WHERE tag LIKE :tag ORDER BY creation_time DESC LIMIT 0,10 ";
     $command =Yii::app()->db->createCommand($query);
 $command->bindParam(":tag", "%{$tag}%", PDO::PARAM_STR);
     $models = $command->queryAll();

But this generates: Fatal error: Cannot pass parameter 2 by reference

How can i bind this LIKE oriented parameter ?

score 2 · Answer 1 · answered May 25 '13 at 19:57

Try to use query builder. So your query will look like following:

Yii::app()->db->createCommand()
    ->select('id, tag')
    ->from('tbl_tags')
    ->where('tag like :tag', array(':tag' => "%{$tag}%"))
    ->order('creation_time desc')
    ->limit('0, 10')
    ->queryAll()

It's better if you're looking for a good practice.

P.S.: Replied from iPhone, excuse typos.

score 0 · Answer 2 · answered May 24 '13 at 03:24

0

By reading the manual page for this function or by googling for the error message.

Both will tell you that bindValue() have to be used instead.

answered May 24 '13 at 03:24

Your Common Sense

156,878
40
214
345

yii is poorly documented. i still don't know what the difference between bindParam() and bindValue(). However the problem is solved, by altering the parameter a little bit: $tag='%$tag%'; then i can use bindParam(). – Thirsty Learner May 24 '13 at 14:45
It's not yii, it's PDO, which is perfectly documented in PHP manual – Your Common Sense May 24 '13 at 14:47

Can not bind parameter to CDbCommand

2 Answers2