There is no silver bullet to prevent all attacks that involve injecting control characters. Vulnerabilities are highly dependent on how the data is used. For example, xss uses control characters <> , where, since SQL Injection uses control characters '"\ , mixing both of these filters makes no sense.
You can use a set of regular expressions to ensure that the data is valid until it is used. A specific regular expression can be used to prevent a specific vulnerability for a function by function. Validation of input data is beyond security and is often required for the program to work properly.
Regex is not always the best way to complete a task. For example, if you use the mysql library, you must call the mysql_real_escape_string () function, which ensures that all control characters recognized by mysql are escaped correctly. It is in your interest to use this feature instead of trying to write your own security system, reinventing the wheel is poor design and can be disastrous when it comes to security systems.