Use PHP to prevent XSS attacks within an image
As long as you keep the extension correct (and your users are diligent about updating their browser) image injection should not be possible.
For instance, if someone uploads alert('xss'); as an image and you have <img src='that-image.png'>, it will be emitted as a png and the JavaScript won't execute (at least back to IE7). What's important is that you rename the images appropriately.
If you have php > 5.3 and the finfo PECL extension, you can use it to get the mime type of the file and have a whitelist of types you will allow (png, jpg, gif I would imagine). If you are on a Linux machine, file may help you with that as well.
In CodeIgniter there's many way to prevent the XSS. You can enable it when getting the value like ->post('data', true). The second parameter is the XSS bool.
Also, don't use the HTML IMG tag. Use the CodeIgniter one that will clean, look and make it easier to display the image.
Just my two cents!