Column sorting variables should use a switch statement to make sure they're valid.
Just skimming, and e.g.
$data['invoices'] = $this->invoice_model->select_multiple($this->session->userdata('company_id'), $page, $this->pref_user['per_page'], TRUE, $sort_col);
$sort_col appears to be just uri_segment 2 of list_items.
select_multiple() then calls:
$sql = "SELECT id, name, DATEDIFF(NOW(), duedate) AS past_due FROM invoice WHERE company_id = " . $this->db->escape($company_id) . " ORDER BY $sort_col";
$sort_col is left as-is. It is certainly more difficult, since '()' aren't permitted in the uri, and we're already in the ORDER BY clause, but I think it may still be doable to get some blindsql into there.
I'll accept the pull request, however, I think the same issue exists in the other controllers (most of them have a list_items() method).
Remove invalid characters in list_items() to prevent SQL-injections. …