Beyond the form validation that CI provides, you can also use your own custom validation rules, and you should if you have to. Also, I like to type cast numbers to int or float, sometimes eliminating the need for form validation if all I'm posting is numbers. While it is specifically suggested that it not be done, I do run almost almost all strings through xss_clean. If that's just a bad habit, and if somebody wants to share an article to read about why it is so, I might be persuaded to change my ways.