Question on SQL Injection with Query Builder

[gb5256]

Hi there.
The docs of Yii2 states that this is the way to avoind SQL Injections: (via param bindings):

// query builder
$userIDs = (new Query())
->select('id')
->from('user')
->where('status=:status', [':status' => $status])
->all();

My question is: As I am using the Array notation in the where clause, is it then also necessary to bind the params and if so, how would the syntax then look like? See example below. My point is also that the where array notation also might inlclude multiple attributes.

// query builder with array notation
$userIDs = (new Query())
->select('id')
->from('user')
->where(['status' => $status'])
->all();

[bizley]

You don't have to change your syntax from array. Under the hood it's built with PDO parameters.