In a Client-Server application, like this, you have to consider two, very separate Environments:
The secure Environment, in which your code runs and your database lives.
Here, you can Trust everything.
Everything is stored in "proper" Data Types.
Life is Good. 🙂
The unsecure Environment, which is everything outside the secure Environment. This includes the User's browser and even the TCP/IP channel between your server and that browser.
Here, you can Trust nothing.
All data is encoded into Character Representations of itself (Users cannot enter "numbers" or "dates" as a computer or a database would store them).
The trick, then, is how to get Data back and forth, between the two?
For data coming "in", you have to clean, verify and decode those data to make them safe to be "admitted" into your "Inner Sanctum", most importantly, your database. This is basic, defensive programming-type stuff, plus things like Prepared SQL statements to minimise database vulnerability.
That's where filter_var can help (once you've figured out what sort of Wee Beastie the datum is - trying to do numeric range checks on the letter 'q' always causes "fun" in testing.
For data going "out", you have to encode those data to make them safe for the browser receiving them.
That's what things like htmlentities and htmlspecialchars come in, to defend against Cross-Site Scripting (XSS) Attacks and other things.
You should also consider more general things, like date and number formatting, which different User communities may want presented differently.
Here's a comprehensive StackExchange Accepted answer on the subject.
Regards,
Phill W.