CI does not use PDO.
Codeigniter PDO - SQL Injection Protection
CI uses mysql_real_escape_string() to protect against injection, or if you feel safer you can find (or write) your own PDO class, like the message above.
From http://codeigniter.com/user_guide/database/active_record.html :
"CodeIgniter uses a modified version of the Active Record database template. This template allows you to receive, insert, and update information in your database with minimal scripts. In some cases, only one or two lines of database code are required to complete the operation. CodeIgniter does not require each the database table was its own class file, but instead provides a more simplified interface.
In addition to simplicity, the main advantage of using Active Record features is that it allows you to create database-independent applications, because the query syntax is generated by each database adapter. It also provides more secure queries as these values ββare automatically logged out by the system. "
Fuseblown
source share