Sql map Manual Vulnerability Assessment

I am trying to do penetration testing for one of my client.
The platform is Code ignitor.
There is an endpoint /find/1
The function queries the vehicle table where vehicle ID is 1 with no sanity check.

Now I tried Acunetix scanner and it found both blind SQL and normal SQL injection on the website.
I need to show my client there is actually a flaw so I used sqlmap with various options

Like I know the backend DB is mysql, —skip-WAF

Ok endpoint /find/1*
Which means to inject at positive of asterisk.

Sqlmap performed detail evaluation however couldn’t exploit the vulnerability. I did the risk and verbose to see the queries myself as well.

What I noticed that * is marked as non permitted character in config of code ignitor which prevents sqlmap from making select * from… etc queries.

My Question:

Shall I assume that the website is safe? Since I can see in the code that sanity check has not been performed on the “input data”.