Has anyone gotten real prepared statements working in CI? 

It looks like even if I’m passing in very optimizable queries like

CI then pulls them apart and manually constructs the full query with the variables replaced with values, which loses all query compilation optimization that you would get if you did a more normal “bind_param” method.

Here is how I implemented mysqli prepared statements in CI 2.1.3.

I modified the following files:

/application/config/database.php
/system/database/DB_active_rec.php
/system/database/DB_driver.php
/system/database/drivers/mysqli/mysqli_driver.php

With these modifications, I can:

1. Use Active Record functions as is. In fact, I am using Jamie Rumbelow’s Base Model on this project.

2. For hand-coded queries, use CI’s Query Bindings as you would normally do.

Limitations:

1. Have not tested this with CI database caching as I do not plan on using it.

2. For table joins that requires parameters in the ON clause, use hand-coded SQL and Query Bindings.

3. There may be others but I have not encountered any issue so far.

This solution works very well for my current project. I know that these modifications affect CI system files. But since I use git, it is easy enough to keep track of my changes against future CI versions.

And if you accidentally overwrite your system folder with a new CI version, your application will still work! Albeit using standard CI field escaping.