You should never trust user input. Always validate data on the server side.
The first line of defense against injections is using prepared statements. If you use prepared statements for your queries, then it really doesn't matter what the user puts into your form, because you have already separated code from data. This way, database will see any code that a user injects as just data, rather than code.
CSRF / Cross-site Request Forgery
Some ideas on protecting POST requests
- protect form from blank submission
- do a data validation - on client side, on server side