PDO does a very effective job of protecting your queries from XSS attacks. No need to worry about whether or not you remembered to protect your queries, because it is automatic. Several other frameworks support this feature as well.

If I’m not using PDO because of a client requirement or the like, I will at the very least build into my connection class an automatic htmlspecialchars function so that I never forget to do it (though this is my least favorite option)

As a UI guy, I always attack my security issues starting on the –front– end first. Proper and well-designed front-end validation can stop unintentional issues from even getting to the query in the first place, and they’re the most effective UI pattern for reporting problems to the user. Blocking elements such as < or ; makes sense in most fields, because they just don’t fit. You can’t rely on the front end solely, though, because a person could bypass it by turning off javascript. But, it’s a good first step and a great way to limit improper queries on heavily traffic-ed sites. My validation of choice for quick and effective front-end validation of fields is here.