The Select class will cleverly check your predicate(s) and add them in a safe manner to the query to prevent SQL-injection. I'd recommend you to take a look at the source for yourself so I'll point you to the process and the classes that are responsible for this in the latest ZF version.
Predicate Processing
Take a look at the class PredicateSet. The method \Zend\Db\Sql\Predicate::addPredicates determines the best way to handle your predicate based on their type. In your case you are using an associative array. Every item in that array will be checked and processed based on type:
- If an abstraction replacement character (questionmark) is found, it will be turned into an
Expression.
- If the value is
NULL, an IS NULL check will be performed on the column found in the key: WHERE key IS NULL.
- If the value is an array, and IN check will be performed on the kolumn found in the key:
WHERE key IN (arrayVal1, arrayVal2, ...).
- Otherwise, the predicate will be a new
Operator of the type 'equals': WHERE key = value.
In each case the final predicate to be added to the Select will be implementing PredicateInterface
Preparing the statement
The method \Zend\Db\Sql\Sql::prepareStatementForSqlObject instructs its adapter (i.e. PDO) to create a statement that will be prepared. From here it gets a little bit more complicated.
\Zend\Db\Sql is where the real magic happens where in method \Zend\Db\Sql::createSqlFromSpecificationAndParameters the function vsprintf is used to build the query strings, as you can see here.
Note
Please consider using the new docs.framework.zend.com website from now on. This website is leading when it comes to documentation of the latest version.
