Protection from SQL-injections and XSS-atacks

Yes.

But you should validate data on input. So if you are expecting an integer, you validate it as an integer, etc.

When outputting user created data to a view, you have to be careful. So yes, usually you would use html_entities just to stop them using </div> to break your site or worse of course.

I am no expert on this myself so please do not let your security research end there.