If you use htmlspecialchars() when receiving input from the user, like:
$email = htmlspecialchars($_POST['email']);
You should always use prepared statements. Here's an exemple: if user inputs the following:
"105 or 1=1"
htmlspecialchars() function won't do anything to it.
The query would look like:
SELECT * FROM Users WHERE UserId = 105 or 1=1
See this doc