also make sure you check lengths and watch for possible buffer overflow
I usually trim, strip_tags and mysql_real_escape_string
you can do a strip for everything between <script and </script>
You can have an allowed set of chars as well, that all depends on understanding what data would be "normal" for your application
>> perhaps remove everything between any < and >
watch that one as I just used those chars properly above. If you were expecting people to submit mathematical equations or code then that would also be a problem
the big thing is to have your standard safeguards, then to profile your expected input, what will users be submitting, and then see if you can have extra rules
I don't actually believe in cleaning data. I validate it, if it doesn't pass then you throw it back to the user to correct. There isn't much point in trying to correct their mistakes, let them do it. It helps to educate them as well.
also don't be overly verbose in your error messages, tell them what they need to know but don't give too much info in case you give a potential hacker extra info.
I also like to log all failures, it helps me to see what my script is doing and helps me better profile what may, or may not, need to be done.