PHP

Sql and xss did I understand everything correctly?

1) Entering information into the database using PDO: prepare a query, bind variables with an indication of the type and execute, if there is no input data, you can also query. If an id, say an article, is passed via a GET request, you need to convert it to an integer $sth->bindValue(1, (int) $id, PDO::PARAM_INT); If among the input data, for example, the name of a column in the table, it is better to use a pre-prepared array with all the names of the columns, check for the presence of in_array(), if any, execute.
2) Display information from the database (entered by the user) inside the tag after executing htmlspecialchars or strip_tags;
3) If the information is displayed not in the tag, but its attribute (For example, we want to leave the value in the input if the form is filled incorrectly), use htmlspecialchars with the second argument ENT_QUOTES, since the value of the value attribute can be enclosed not in double, but in single quotes .
I tried to add blocks with events or links with href="javascript: ... through vulnerabilities, the browser itself blocked everything.
Am I doing everything right? Thank you in advance for your advice.