SQL Injection and Codeigniter

Question

Some doubts regarding Codeigniter and its Input handling capabilities. Some may be a little weird but they are doubts none-the-less.

1. If I use the Active Record

Answer 1

1. it does if you do it properly

2. You will probably have noticed that all function calls are in a way that user data is passed in one variable each. So you don't even have the possibility to pass SQL controll code and user data in one variable. Speaking short, data is encapsulated in one variable each. Therefore it can be safely encoded without breaking your SQL code. The exception is however if you pass yóur whole query. Then its not possible. If you do

$db->query("select * from table where password = 'hello ' or '1=1");

there is no way of telling what should be escaped and whats not but if you quote it in like this

$db->query("select * from table where password = ?",array('param1'));

the user variable gets encapsulated in one variable and will be escaped.

3. Yes it does but its primpary purpose is not to prevent sql injection, i would rather rely on http://codeigniter.com/user_guide/libraries/input.html