Sanitizing is more than just starting your login through all sorts of filters.
Sanitizing your input is not contaminating your application with user data that you do not need.
The big question, however, is, what do you not want?
First example
You have created a page that allows the user to send a text message. Your expected entry will be a phone number and a text message.
Looking at the rule link in the manual, I would probably go for these rules:
numeric|exact_length[8]
These rules, as I would like to make sure that the input is nummeric and that the input matches the length of the phonenumbers in my region. Since I already confirm that the input is numeric, I can assume that attempts to inject XSS and SQL should fail (since these attacks contain non-numeric characters).
In the text message field, I use trim and be sure to: trim|required , because I am not sending an empty message.
Second example
Enabling users to comment is a good way to allow users to spam your site or enter malicious code.
Basically, the fact that you are not a name, email and comment.
All input required. Email must be verified. But the comment and name should have some cleanup of XSS and service spaces / lines.
My sanitazion check would look like this:
$this->form_validation->set_rules('name', 'Name', 'required|trim|xss_clean'); $this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email'); $this->form_validation->set_rules('comment', 'Comment', 'required|trim|xss_clean');
Sanitize what you must — not what you can — and make sanitazitone for what you need.
Make sure when you paste data into your server to use Active Record / Query Builder to exit your input correctly or use Query Bindings , which does the same for you.