[eluser]CroNiX[/eluser]
If you use CI's active record or query bindings for database operations, all variables are already been run through mysql_real_escape_string(). I'd convert your "native" sql queries to Active Record, or at least run any variables through $this->db->escape() before executing them in a query. To me, the database layer should be taking care of using database functions, like mysql_real_escape_string(), and not somewhere else like in input::post().
You might also run into some problems if you do it on post variables, since they get run through form validation (or should be), and if some things are escaped it could cause them to fail validation as the data has changed and things added.
