Database Security, mysqli and prepared statements

[eluser]Unknown[/eluser]
Hello,

I've been reading the CodeIgniter documentation today. I'm concerned that the Database class does not seem to have an option to use MySQL prepared statements. Instead, the best advice it gives is to escape strings. Yes, I saw the "Query Bindings" section, but if you read carefully you'll see that this function is simply a shortcut for escaping strings.

I guess I can always use PHP's mysqli() to do my database access, and if I can't find something I like better than CodeIgniter, that's what I'll do. But somehow it feels like the wrong solution because CodeIgniter is supposed to include database functionality too.

Is there any CodeIgniter module or plugin that will provide a Database class that uses mysqli() to provide MySQL prepared statements?

Thanks for the help.

[eluser]Unknown[/eluser]
I think I understand now why CI does not support prepared statements: CI wants to support PHP4 and in PHP4 the only libraries that support prepared statements are vendor-specific libraries such as MySQLi (which is only for MySQL). In PHP5 we have "PHP Data Objects" which is a vendor-agnostic library that supports prepared statements.

I am taking a serious look at the Yii Framework. It seems to have most of the advantages of CI (good documentation, MVC-but-flexible, high performance) with some additional advantages (for me) such as using prepared statements. Yii does not support PHP4 but I'm cool with that. I don't care about PHP4.