Is CodeIgnighter's Database Library Enough to Prevent Against Sql Injections

I am trying to write models in codeignighter like here which relies on CodeIgnighter's database API. I have read a forum post on whether or not Co开发者_JAVA百科deIgnighter's database API completely prevents SQL injections. I know alot of people suggest using the PDO Framework as the best way of preventing SQL injections. I know how to use the PDO framework however I don't see how I can use prepared statements to generate queries in models. Am I save from SQL injections using CodeIgnighter's database API or should I use the PDO Framework?

Providing you use code igniters built in functions you will be allright.

Here is a link on stackoverflow that explains this more: StackOverflow Question,

Use parametized queries, and follow the examples in the above SO question, and you will be safe from SQL injection, there is not much else you can do yourself, just write good code following CI best practices and using all the built in functions.

Can't say much about CodeIgniter but will use Doctrine as example. Say you want to fetch a user from database. You can add condition to query:

    // Correct usage. $user value will be passed as bound parameter to PDO
    $query->where('u.username = ?', $user);

Or..

    // Works fine but should not be used like this and can be exploited if $user was not sanitized/escaped
    $query->where("u.username = '$user' ");

Same applies to plain PDO too.

So answer is: it can help you, but you still have to read documentation and follow the guidelines.

CI's libraries are as good a defense against sql injection as mysql_real_escape_string (or whatever your preferred driver is). Why is this? because their DB library calls that on all inputs. It also properly escapes all table and column names. Further, use of PDO means that you'll need to somehow use a rewrite of CI's Active Record syntax.

That said, there are a lot of benefits to PDO. I just don't think security is practically one of them.