[eluser]pickupman[/eluser]
If you are using ActiveRecord syntax ($this->db->update/insert) along with xss_clean, you are doing it correctly. The ActiveRecord syntax automatically escapes sql queries unless you have explicitly set it not to. Also using $this->db->set('field_name', $field_name) will protect the fields as well.
Code:
foreach($_POST as $key => $val){
$this->db->set($key, $val);
}