Is CodeIgnighter's Database Library Enough to Prevent Against Sql Injections

Providing you use code igniters built in functions you will be allright.

Here is a link on stackoverflow that explains this more:StackOverflow Question,

Use parametized queries, and follow the examples in the above SO question, and you will be safe from SQL injection, there is not much else you can do yourself, just write good code following CI best practices and using all the built in functions.

Can't say much about CodeIgniter but will use Doctrine as example. Say you want to fetch a user from database. You can add condition to query:

    // Correct usage. $user value will be passed as bound parameter to PDO    $query->where('u.username = ?', $user);

Or..

    // Works fine but should not be used like this and can be exploited if $user was not sanitized/escaped    $query->where("u.username = '$user' ");

Same applies to plain PDO too.

So answer is: it can help you, but you still have to read documentation and follow the guidelines.

CI's libraries are as good a defense against sql injection as mysql_real_escape_string (or whatever your preferred driver is). Why is this? because their DB library calls that on all inputs. It also properly escapes all table and column names. Further, use of PDO means that you'll need to somehow use a rewrite of CI's Active Record syntax.

That said, there are a lot of benefits to PDO. I just don't think security is practically one of them.