Protection from SQL-injections and XSS-atacks

Hmmm - ActiveRecord hasn't been a thing for several years now ... renamed the Query Builder in CI3.

It sounds like you might have overlooked the user guide section dealing with the problems you mention ... https://www.codeigniter.com/user_guide/l...urity.html

Sorry to revive an old thread, but I wanted to ask if using actual SQL with ? placeholders is safe from SQL injection attack, as opposed to ActiveRecord / QueryBuilder?

For example, doing something like this:

PHP Code:

$sql = 'SELECT * FROM users WHERE userId = ?';
$query = $this->db->query($sql, array($userId)); 


Would the above be immune to SQL injection attacks?  Or do I need to still escape or do something extra?

The reason we use these is for some complex queries, we can test the SQL directly in PhpMyAdmin or something to ensure it is getting the right data results, and then simply copy/paste the SQL as the query and just replace the values with ? placeholders.

Thank you for your help.