Web-based security is a pretty broad field, but at the end of the day, as far as you're concerned, security is a question of threat level (or vulnerability) and opportunity. In all likelihood, an attack that is fairly common against a completely unprotected target will be tried long before an obscure attack on an unknown or hidden target. Your job is not to defend against every possible situation, but it is your job to make sure that your systems are secure enough to make the attacker try somewhere else. What this comes down to is a "defense-in-depth" attitude that will help you keep your applications secure from malicious users.
That being said, the number one rule of web application security is that user input cannot be trusted. In fact, any data that are received from any process can't be trusted. They should all be considered tainted and need to be filtered one way or another. For example, 99 percent of the time, the URI strings that are passed around will be OK, but someone will try to hack the URIs, trying to pass in a very long ID, for example, to your model. Your job is to make sure that doesn't happen.
CodeIgniter has some built-in security processes that will help you sleep better at night, including the following:
The out-of-the-box configuration only allows certain characters in URI strings. You can add more allowable characters by editing the /system/application/config/config.php file, but doing so will create further openings for certain attacks. The ...