javascript – PHP – Filtering user query to prevent all attacks

A user submits a search query to my site.

I then take this query and use it in other places, as well as echo’ing it back out to the page.

Right now I’m using htmlspecialchars(); to filter it.

What other steps should I take to prevent XSS, SQL Injection, etc, and things I can’t even think of. I want to have all my bases covered.

$query = $_GET("query");
$query = htmlspecialchars($query);