Is preventing XSS and SQL Injection as easy as does this

[karum]

Question: Is preventing XSS (cross-site scripting) as simple using \[code\]strip_tags\[/code\] on any saved input fields and running \[code\]htmlspecialchars\[/code\] on any displayed output ... and preventing SQL Injection by using PHP PDO prepared statements?Here's an example:\[code\]// INPUT: Input a persons favorite color and save to database// this should prevent SQL injection ( by using prepared statement)// and help prevent XSS (by using strip_tags)$sql = 'INSERT INTO TABLE favorite (person_name, color) VALUES (?,?)';$sth = $conn->prepare($sql);$sth->execute(array(strip_tags($_POST['person_name']), strip_tags($_POST['color'])));// OUTPUT: Output a persons favorite color from the database// this should prevent XSS (by using htmlspecialchars) when displaying$sql = 'SELECT color FROM favorite WHERE person_name = ?';$sth = $conn->prepare($sql);$sth->execute(array(strip_tags($_POST['person_name'])));$sth->setFetchMode(PDO::FETCH_BOTH);while($color = $sth->fetch()){ echo htmlspecialchars($color, ENT_QUOTES, 'UTF-8');}\[/code\]