Not validating user input should have nothing to do with SQL or XSS or any other kind of security pratice. Validation of input has to do with business logic. Sanitizing input is another thing altogether. trying to do both at once is usually pessimal. For example, if you use input validation to prevent SQL injection, you might prohibit the ' character in input fields. This is guaranteed to annoy everyone named "O'Grady." Likewise, if you use input validation to prevent people from entering <script>, you will be shocked when you discover the entertaining ways people have of routing around your homebrewed "filters." Far better to make sure your display layer knows how to display any user input without inserting it as raw HTML.
And of course, if you're composing SQL queries by catenating string stogether, you do not need to validate input, you do not need "best" practices, you need basic training. There's a difference.
And of course, if you're composing SQL queries by catenating string stogether, you do not need to validate input, you do not need "best" practices, you need basic training. There's a difference.