So I am trying to make my website more secure. Is using htmlspecialchars and htmlentities enough? And should I filter output or just input?
filter_var and filter_input are also used for validation of forms and external variables. https://www.w3schools.com/php/php_filter.aspis https://www.php.net/manual/en/function.filter-input
Definitely, the input. You don't want any garbage in your DB. Search stackoverflow for viable solutions.
The good practice is NOT to htmlspecialchars or htmlentities the input data before you store it in database (it should be raw). You just need to use htmlspecialchars function when you output it to the browser. Read this related question and answers: https://stackoverflow.com/questions/9299152/do-i-need-to-use-html-entities-when-storing-data-in-the-database
THIS! The bigger question is are you using prepare/execute like a good little doobie so that you have auto-sanitization/escaping of user input to the database? A lot of the batshit crazy hoops people jump through still thinking they're writing PHP 4.5 can be skipped -- and thus most framework BS can also be skipped -- if you just use PDO with prepare/exec. Making it so you don't have to sanitize or escape input. But yes, htmlspecialchars your output whenever possible. But if like so many you're still slopping variables into query strings like it's 20 years ago, then ... well, you have to go crazy escaping input for zero valid reason other than, well... having one's cranium stuck up PHP 4's rectum.