I have a textarea which will be available to users as comment box so any sort of inputs are acceptable but that should be accepted only as text and not code. Basically I want to protect my database. I don't want to strip tags or such thing, I just want that if any users even inputs a code that should be stored in database as text and shouldn't be causing any harm to database. So came across these two php functions now I am not sure which one ofthese I should use as I am not able to understand difference in them.
From this : http://forums.phpfreaks.com/topic/275315-htmlspecialchars-vs-filter-sanitize-special-chars/
They are quite similar yes, but as the PHP manual states htmlspecialchars escapes a bit more than just FILTER_SANITIZE_SPECIAL_CHARS.
That brings us to the next point, SQL injection prevention. As stated htmlspecialchars is for escaping output to a HTML-parser, not a database engine. The DB engine doesn't understand HTML, and doesn't care about it either. What it does understand, is SQL queries. SQL queries and HTML use quite different meta-characters, with only a few in common: Quotes being the most obvious, and even that is somewhat conditional for HTML. However, due to the other meta-characters (which HTML does not share) using HTML escaping methods for SQL queries will not protect you. Those meta-characters will go through htmlspecialchars unscathed, and thus be able to cause SQL injections.
Same the other way around, if you use SQL escaping methods to escape output going to a browser. It will not escape the < and > signs, meaning an attacker can easily perform HTML injection attacks (XSS etc). Not only that, but you'll suddenly have a lot of slashes in places where there shouldn't be any. Which is quite annoying, at best.
This is why it's so important to know, and use, the proper method for the third party system you're sending the data to. If you don't, you are still vulnerable