$this->db->escape() - Fix.

[eluser]barryskidmore[/eluser]
I went ahead and restored that original and now only call it when required:

Code:

/**
     * Generate an insert string
     *
     * @access    public
     * @param    string    the table upon which the query will be performed
     * @param    array    an associative array data of key/values
     * @return    string        
     */    
    function insert_string($table, $data)
    {
        $fields = array();    
        $values = array();
        
        foreach($data as $key => $val)
        {
            $fields[] = $key;
            if (is_numeric($key) === false && stristr($val,'NOW()') === false && stristr($val,$key) === false) {
                $values[] = $this->escape($val);
            } else {
                $values[] = $val;
            }
        }    
        
        return $this->_insert($this->prep_tablename($table), $fields, $values);
    }

Fits my needs and saves me abit of typing. Could easily be extended to check an array for all SQL keywords but I do not need to be that specific.

Any exploration of automating the preparation of data so as to severly limit injection attacks is always worthwhile, especially when the documentation offers little in the way of technique explanation.

http://ellislab.com/codeigniter/user-gui...lpers.html

This function simplifies the process of writing database inserts. It returns a correctly formatted SQL insert string. Example:

Note: Values are automatically escaped, producing safer queries.