[eluser]Glen Swinfield[/eluser]
You will probably need to addslashes() yourself. If using mysql use mysql_real_escape_string(). Check the php manual for further info on the function.
$this->db->query(); does nothing with the data passed to it other than execute a mysql_query() around it.