Yes.
But you should validate data on input. So if you are expecting an integer, you validate it as an integer, etc.
When outputting user created data to a view, you have to be careful. So yes, usually you would use html_entities just to stop them using </div> to break your site or worse of course.
I am no expert on this myself so please do not let your security research end there.