[eluser]Keat Liang[/eluser]
[quote author="osci" date="1308261566"]I don't know if it should be escaped or not by limit.
But in your example you are protecting your search variable and not limit or offset or domain that you accept from the url. Shouldn't you escape everything you get from the url?[/quote]
i suggest the limit function(active record) should using is_numeric() to validate the data.
since it SQL LIMIT only accept INT