$sort_col appears to be just uri_segment 2 of list_items.
select_multiple() then calls:
$sql = "SELECT id, name, DATEDIFF(NOW(), duedate) AS past_due FROM invoice WHERE company_id = " . $this->db->escape($company_id) . " ORDER BY $sort_col";
$sort_col is left as-is. It is certainly more difficult, since '()' aren't permitted in the uri, and we're already in the ORDER BY clause, but I think it may still be doable to get some blindsql into there.
All projects which have been just open sourced are going to contain bugs. That is, until people like you find them and fix them and submit pull requests ;).
CI strips out all funky characters, so while it is possible to cause an erroneous query, I'm not seeing a security issue here.
On top of that we are all hopefully always learning. New kinds of security attacks will come along and we will have to figure out how to address them.
I would encourage you to consider trying hard to build a team around your project. In my experience open source software is hard work and really only can thrive in a community. This doesn't form magically around the software. It takes time and effort to build. If you can get good security folks in your community you can learn a lot from them.
One recommendation I have is to try to get a security guru on your team. LedgerSMB would be nowhere near as secure if it weren't for the efforts of Seneca Cunningham early on in the project. My coding and sensitivity to these issues has greatly improved.
in: controllers/invoice.php
$data['invoices'] = $this->invoice_model->select_multiple($this->session->userdata('company_id'), $page, $this->pref_user['per_page'], TRUE, $sort_col);
$sort_col appears to be just uri_segment 2 of list_items.
select_multiple() then calls:
$sql = "SELECT id, name, DATEDIFF(NOW(), duedate) AS past_due FROM invoice WHERE company_id = " . $this->db->escape($company_id) . " ORDER BY $sort_col";
$sort_col is left as-is. It is certainly more difficult, since '()' aren't permitted in the uri, and we're already in the ORDER BY clause, but I think it may still be doable to get some blindsql into there.