If you use active record or query binding you are safe since CI uses mysql_real_escape_string() to guard against sql injection. Parameterized queries are similar to CI’s query bindings. The advantage to parameterized queries on databases that support them is speed when executing the same query but with different data multiple times. Think multiple inserts. PDO supports parameterized queries on databases that support them, but PDO can also emulate parameterized queries which is the same thing as CI’s query binding.
There is only one way to avoid [injection] attacks
* Do not create SQL statements that include outside data.
* Use parameterized SQL calls.
That’s it. Don’t try to escape invalid characters. Don’t try to do it yourself. Learn how to use parameterized statements. Always, every single time.
The strip gets one thing crucially wrong. The answer is not to “sanitize your database inputs” yourself. It is prone to error.
With the PDO you can bind your vars/fields. But you dont have to. It’s extra work especially with big forms. But it is worth the time. But you still should sanitize your data. PHP provides some nice tools for that (there’s a link in my post above).
It is not hard to protect your site from a SQL Injection attack. You just can’t be lazy. Every form, every page a user can type data must be sanitized.
And CI does it all for you, if you want. Easy peasy.
I’m sorry, but this is bad advice. Parameterization is much safer than escaping query strings. Abstraction and security are the main reasons for the use of PDO. Performance is nothing but a side effect. If you want to improve query performance, you use sensible indexes and stored procedures (and beyond that sharding, clustering, etc.)
mysql_real_escape_string does very little to prevent injection attacks.