I'm using Yii 1.1.15 and am adding a criteria to my dataprovider
$search_condition[] = 'd.test IN (:pTEST)';
$search_params[':pTEST'] = $_GET[$key];
$dataProvider=new CActiveDataProvider('MODELNAME',
array(
'criteria' => array(
'condition'=>$_search_conditions,
'params'=>$search_params,
),
));
Query generated is
SELECT COUNT(*) FROM `TABLE` `s`
WHERE (s.id IN (:pTEST)). Bound with :pTEST='6,50'
Which give me 0 results in my view when i call this function $dataProvider->getTotalItemCount());
but when i change my params to this. it works.
$search_condition[] = 'd.test IN ('.$_GET[$key].')';
won't this be vulnerable to mysql injections? if so, how do i use yii's params? Or should i just add a mysql_real_escape_string? Personally i would rather use Yii's bound if possible.
You have an CDBCriteria class in yii which helps you in building the query
$values = explode(",",$_GET[$key])
$criteria = new CDBCriteria();
$criteria->addInCondition('test',$values)
$dataProvider=new CActiveDataProvider('MODELNAME',
array(
'criteria' => $criteria,
));
This would give you the required output