The arguments to controller methods (in CI) are passed through some regular expressions. CI goes as far as to destroy all GET variables (which I highly disagree with).

GET's are all removed (by default), but for uri segments you'll just get some character filters, and some anti-xss attempts (assuming you have that on). Nothing anywhere near sufficient to prevent sql injection. Again, didn't dig too deep, but I don't see any validation that would prevent me from doing some level of at least blindsql..

I would be excited to see an example exploit executed against the app, I've tried plenty of times without success.

Any pull request to fix a vulnerability will be happily accepted!

I think CI rejects anything in the URI which isn't alpha-numeric. Would that solve the issue?

Kind of, anything in permited_uri_chars is allowed. This includes spaces, slashes, commas, %, and a handful of others by default. As I said only skimmed quickly so maybe I'm missing it. Will take a deeper look in a bit once not on mobile.

This is the escaping mechanism I was using.

I live by the communist motto. Trust, but verify.