I have a Doctrine_RawSql query using prepared statements. However, they seem to be ignored when generating the SQL query. But if I leave the marker values, I get an exception from the number of related variables that do not match (so at least try to include them in).
If I include these inline values, Doctrine does something behind the scenes to prevent SQL injection?
Here is my code:
public function sortedPhotogsByLocation($location) { $q = new Doctrine_RawSql(); $result = $q->select('{p.*}') ->from('photographers p') ->addComponent('p', 'Photographer') ->where('p.city_id = ?', $location->id) ->orderBy('CASE WHEN p.lname < "?%" THEN 1 ELSE 0 END, p.lname ASC', $location->photographer_sort) ->execute(); return $result; }
This provides the following SQL output:
SELECT * FROM photographers p WHERE p.city_id = ? ORDER BY CASE WHEN p.lname < "?%" THEN 1 ELSE 0 END, p.lname ASC
EDIT: The properties on $location are set correctly. If I hard set the parameters:
->where('p.city_id = ?', 5)
I face the same problem when tokens are not replaced.
source share