Are you sure about handling SECURITY?!

Your regex is overkill as form validation has alpha, alphanumeric, alpha spaces and much more already available.

Here are some quick answers - hope they help.

Q1 Makes no sense. "Because I validate input do I still have to validate input"?

Q2 If you use query builder it will attempt to escape everything for you. But see note later about depends...

Q3 xss_clean is better than html special chars as it does a bit more in addition. However, what you clean depends on the situation and levels of trust and where the content is going (js, html, headers, email content etc). See depends later. CI advice is to always clean output.

Q4 You do not have to validate db output, except I suppose in that if it is null or not, or if it is set or not, or is it a valid value or not etc (I suppose that is validation but I do not think of it like that). But you may have to clean it still as it may have unwanted content. ie if you put user content into your database then you need to clean it before outputting it again to the screen.

Q5 Wysiwyg is a difficult one. Personally I use HTML purifier to prevent user input breaking screen layouts etc. You cannot htmlspecialchars it or xss clean it as it won't come out as html, as is the whole point of it in the first place.

Scenario 2
This is about trust, do you trust yourself or admins not to post dangerous stuff or not? Of course you do although validation is still needed on input, as mistakes still get made.

Scenario 3
Not sure what you mean.

I think you might get better or more in depth answers if you stuck to one thing at a time. You cannot really expect people to write a massive essay in response. And you do not need to add pseudo code just to describe posting data and writing it to a database.

I also think the right place to go for better advice is here: http://www.codeigniter.com/user_guide/ge...urity.html and that is the right place for a complete guide to security.

Paul.