I’m adding private messaging to my site. In the Recipient text field in my form, I want to suggest valid usernames when someone starts typing. After reading tutorials and studying some scripts I made the following code for suggesting usernames from my database table named users. It works but I’m not certain how correct and secure it is.

Jquery (using the Jquery UI autocomplete plugin):

$(function() {                     
    $( "#username" ).autocomplete({ //the recipient text field with id #username
        source: function( request, response ) {
            $.ajax({
                url: "http://localhost/mysite/index.php/my_controller/search_username",
                dataType: "json",
                data: request,
                success: function(data){
                    if(data.response == 'true') {
                       response(data.message);
                    }
                }
            });
        },
        minLength: 1,
        select: function( event, ui ) {
            //Do something extra on select... Perhaps add user id to hidden input    
        },

    });
}); 

Controller (for simplicity I did not use a model although I plan to)

function search_username()
{
        $username = trim($this->input->get('term')); //get term parameter sent via text field. Not sure how secure get() is

        $this->db->select('id, username'); 
        $this->db->from('users');
        $this->db->like('username', $username);
        $this->db->limit('5');
        $query = $this->db->get();

        if ($query->num_rows() > 0) 
        {
            $data['response'] = 'true'; //If username exists set true
            $data['message'] = array(); 

            foreach ($query->result() as $row)
            {
                $data['message'][] = array(  
                    'label' => $row->username,
                    'value' => $row->username,
                    'user_id'  => $row->id
                );
            }    
        } 
        else
        {
            $data['response'] = 'false'; //Set false if user not valid
        }

        echo json_encode($data);
} 

There is one edit that I would recommend making...

I would enable XSS protection by passing a second argument TRUE to get()

    $username = trim($this->input->get('term', TRUE));

You can also add more exception, if you wish that function will works only for ajax calls :

if($this->input->is_ajax_request())
{
//... process the input
}
else
{
    show_404();
}

Codeigniter active record database should make your code clean of any SQL injections. And if you're not posting anything you don't need to worry about XSS.

Using this someone could get a list of all possible usernames.. but other than that I would say it's "secure" (it looks very similar to what i'm using for my site =p)

EDIT:

And if you're not posting anything you don't need to worry about XSS.

I should clarify, IF you are posting anything (displaying anything that the user enters) then you should XSS filter (which johndavidjohn's answer below me explains [just pass TRUE as 2nd param]).. I didn't quite understand what u meant in your explanation of what "term" is... If all you are doing is searching, then you do not need to XSS filter, but if a user can send/write a message (generate content that your site stores [to be displayed]) then you should XSS filter on iput.