Is FILTER_SANITIZE_STRING enough to avoid SQL injection and XSS attacks?

It's never wise to use the same sanitization function for both XSS and SQLI. For XSS you can use htmlentities to filter user input before output to HTML. For SQLI on SQLite you can either use prepared statements (which is better) or use escapeString to filter user input before constructing SQL queries with them.

FILTER_SANITIZE_STRING will remove HTML tags not special characters like &. If you want to convert a special character to entity code prevent malicious users to do anything.

filter_input(INPUT_GET, 'input_name', FILTER_SANITIZE_SPECIAL_CHARS);

OR

filter_input($var_name, FILTER_SANITIZE_SPECIAL_CHARS);

If you want to encode everything it's worth using for

FILTER_SANITIZE_ENCODED

For more info: https://www.php.net/manual/en/function.filter-var.php

If you are just trying to build a simple form and dont want to introduce any heavy or even light frameworks, then go with php filters + and use PDO for the database. This should protect you from everything but cross site request forgeries.

I think its good enough to secure your string data inputs, but there are many other options available which you can choose. e.g. other libraries would increase your application process time but will help you to process/parse other types of data.

If you don't trust your own understanding of the security issues enough to need to ask this question, how can you trust someone here to give you a good answer?

If you go down the path of stripping out unwanted characters sooner or later you're going to be stripping out characters that users want to type. It's better to encode for the specific context that the data is used.

Check out OWASP ESAPI, it contains plenty of encoding functions. If you don't want to pull in that big of a library, check out what the functions do and copy the relevant parts to your codebase.