If you use PDO's prepared statements to protect your database from injection, and you then use htmlentities to protect your users from XSS attacks, then you ought to be fine.
As for "cleaning that input", this will only work when you know exactly what is going to be allowed and you either filter out everything else, or detect and infringement and abort that operation -- so called Filtering Input (FIEO)
e.g. a phone number. You might permit spaces, dashes, round brackets and numbers.
For a free for all text area you face an impossible task, so you simply have to protect each environment from attack by Escaping Output. (FIEO)