Yes, but not with any of the solutions you've given:
To be fair, having client side validation is so stupid it doesn't even deserve mentioning.
I'm not really sure how many times I have to say this, but DON'T MANUALLY ESCAPE YOUR SQL!!! Use parametrized queries or ORMs.
Seriously guys, parametrized queries are actually EASIER to use than building your own SQL string:
$mysql.prepare("SELECT * FROM users WHERE user_id = ?", $user_id);
No need for escaping, no need to worry about table data types, no ugly procedural code intermixed with SQL. It's clean, easy to read and secure. There really isn't any excuse for anyone to be escaping their user inputs manually. In fact, I'd actually go as far as to say that anyone who does choose to manually escape over using parametrized queries or ORMs is demonstrating gross negligence. Harsh words, but given how easy parametrized queries are and how hard it is to securely escape SQL, there really is no excuse for manual escaping.
yep. I hate going into scripts and seeing manually generated queries, with escapes in it. its really isn't that hard in php either. should be second nature especially if you are doing oop. i shudder at procedural code anymore lol...been working in oop to long to go back now! if you can't bother with it, use one of the many frameworks out there, that do this naturally!