Can a URI var ever be malicious?

[eluser]theshiftexchange[/eluser]
Hi guys,

Given the following code:

Code:

//create a new user
function register($plan = false)
{
  
  // Check the plan they have picked is valid, or default to the first plan
  $this->load->model('pricing_plan');
  if (( ! $plan) || ($this->pricing_plan->count_by('name', $plan) === 0))
  {
   $plan = $this->pricing_plan->get_all();
   $plan = $plan['0']->name;
  }

Because I pass "$plan" to the model without validation - can anything malicious ever be passed? i.e. sql injection? or javascript?

I use active record on the model.