[eluser]TheFuzzy0ne[/eluser]
Yes, it will be a security threat and also you won't have a valid SQL query.
Let's say you wanted to insert some data into an imaginary table:
Code:
$this->db->where('user_id', '1');
$this->db->insert('imaginary_table', array('username' => 'some name'));
If the string was not escaped, the resulting query would look something like this:
Code:
INSERT INTO imaginary_table (username) VALUES(some name) WHERE user_id = '1';
This is not valid SQL, as "some name" does not appear within quotes so your SQL database won't know it's a string. Escaping it adds those quotes, so it will look more like this:
Code:
INSERT INTO imaginary_table (username) VALUES('some name') WHERE user_id = '1';
If you pass a string to $this->db->escape(), it is automatically escaped using your databases native escape function (to prevent SQL injection attacks), which is essentially what escape_str() does.
I recommend you stick with $this->db->escape(), as it does everything you should need it to. If you're using the active record class, then your data is escaped automatically.