Does the ActveRecord save() function apply mysql_escape_string to all the values inputed into the database?

What I do is the following:

$model = new User;

$model->attributes = $_POST[‘User’];


does the save() escape the characters inputted into the database?

It doesn’t, but if your question was “should I worry about sql injections”, then the answer is “no” :)

Some info: Prepared statements.

Wait when I call save() that uses prepared statements to enter the values in the database?