Sorry, hit enter
http://www.php.net/manual/en/book.pdo.php
or rather, check out the
bindParam
from XSS, there are quite a few
strip_tags() functions that strip HTML and PHP tags from a string.
htmlspecialchars() - Converts only special characters ('&', '"', »', '<' and '>') to HTML entities ('&', '"'…). Used to filter user input for protection from XSS attacks
htmlentities() - converts all characters in a string (except letters) to HTML entities Used to protect against XSS, being a more flexible analogue of htmlspecialchars
stripslashes() - strips escaped characters (there is no need for them after conversion in essence by previous functions shield)

To protect yourself from SQL and XSS injections, you need to understand at a minimum level what it is in general and how it works.
Then there will be no injections, no such meaningless questions, no such meaningless answers.

for SQL, I recommend using mysqli, you specify the data type in it when preparing a request
from XSS, escape htmlspecialchars () and use double quotes everywhere in html - this is both standard and safe (you can escape of course with ENT_QUOTES, but this is an extra headache.

SQL inj is pretty well dealt with by PDO
in more detail in the docs

and the function of processing incoming data from Raz0rtyk

I always did so, from sql attacks.

// Функция экранирования переменных
function quote_smart($value)
{
    // если magic_quotes_gpc включена - используем stripslashes
    if (get_magic_quotes_gpc()) {
        $value = stripslashes($value);
    }
    // Если переменная - число, то экранировать её не нужно
    // если нет - то окружем её кавычками, и экранируем
    if (!is_numeric($value)) {
        $value = mysql_real_escape_string($value);
    }
    return $value;
}


$info = $Database->prepare("SELECT money FROM users WHERE text = '".quote_smart($_POST["text"])."'");

Apache ModSecurity Module Level Solution

To protect against cross-site scripting (XSS), you can use built-in functions such as:
htmlspecialchars()
Converts some characters as HTML entities to store their meaning. Be sure to use it to filter user input.
The following functions can be used to protect against SQL injection:
mysql_real_escape_string()
Escapes special characters, taking into account the connection encoding, so that the result can be safely used in an SQL query.
You can also protect yourself using filtering on the "white" list, casting variables and using prepared queries.
To find fields that are subject to filtering, you can use special vulnerability scanners, for example, for SQL injection, you can use the SQLMAP utility
You also have a more comprehensive approach to protecting the site, you can use online vulnerability scanners that can check most of the site's vulnerabilities, and it also does not hurt to check for vulnerabilities associated with the operation of application protocols. Try metascan or https://sitecheck.sucuri.net