A friend of mine who is developing a site based on CI pointed out something interesting. If you do not remove the \ char from the $config['permitted_uri_chars'] variable in config.php a user can perform an sql injection. I have not tested this but due to the comments in the source code I don’t believe they meant to place a \ in the regex. There is no need to escape the – char.
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
to
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';
** Update **
I have yet to confirm if the person who told me about the SQL Injection was using any of the following:
$this->db->escape(); $this->db->escape_str(); $this->db->escape_like_str();
Using those methods could make the difference if someone uses a \ to escape in a query.
