Does CActiveRecord employ prepared statements or some other method to prevent SQL injection attacks? It’s fairly clear to me how use of the rules() function will prevent attacks on numerical fields. How injection would be prevented on character fields eludes me, however.
I’m somewhat new to Yii, and active records, so forgive me if this is something I should know. I have searched and can’t find an answer.
rules() ensures that user inputs are in the format of what you want. AR also uses prepared statements (binding parameters rather than embedding them into SQLs) whenever possible.
Excellent! That’s what I was hoping. Thanks for the quick response.
Bro, does CActiveRecord automatically prevent sql injection ? 
Please don’t post same questions to two or more topics.
http://www.yiiframework.com/forum/index.php?/topic/13119-sql-injection-question/