After googling I have seen some comments that php's function filter_var($var, FILTER_STRING); is unreliable or doesn't do much. Reference: What does FILTER_SANITIZE_STRING do?
See the last comment by Álvaro González.
If this is so, suppose I use regex for my filter for the data that I want from user input and insert the data always using prepared statements, isn't that the safest way to accept user input? My reasoning is that using regex, I will always only get the type of data that I want every time.
Look at this script:
<?php
$string = "Th*()is 999 is <<>> a ~!@# sample st#$%ring.";
$res = preg_replace("/[^a-zA-Z]/", "", $string);
echo $res;
?>
Output Thisisasamplestring
How could an attacker get around that? We are talking about sql inject attacks etc.