Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

form validate and binding


  1. When using form validators, is still required to use binding when inserting to db, or the input is considered already safe?

    $name = new Text('Name');
        new PresenceOf(array(
            'message' => 'Please enter your name'
        new Alpha(array(
            'message' =>Name is not valid'
  2. When calling $form->bind($_POST, new Model()), the data from model will already have the filters applied, or is getting the raw data from $_POST?

  3. The ORM does any checking and filtering by default?


The ORM uses bind parameters for insertion/updation, also $form->bind assigns the values already filtered

I see, so the only time when binding is required is when doing a Model::find() and Model::count() and maybe for Model::findOneByField() too. I know I read in the docs something a long time ago, but I no longer can find it :)


Model::findOneByField() automatically uses bound parameters too, you only need binding in the methods that query data Model::find()/Model::findFirst()/Model::count()/Model::sum()/Model::query()/etc

I got it. Thank you for clarifying this for me.