I think the common issue (that I myself have at times) with understanding data validation that we try to approach it as function-centric (which one to use), while it should be approached as process:
- where data comes from
- where it goes
- what unwanted and/or harmful things it might include
The confusing amount of function comes from abundance of possible combinations and still won’t cover all possibilities. While sanitization is covered, validation is usually something to you code yourself in context of your data.
The nature of data is different. Number is different from URL and from text and from HTML code and from user name, etc.
The purpose of sanitization is different. Data, going into database, is sanitized mostly to prevent SQL exploits. Data, going to screen, is sanitized mostly to prevent harmful JavaScript from running.
So while there are confusingly many functions, there is no simple logic to using them. That logic entirely depends on your specific data. You need to:
- understand general security concepts
- then your data
- then context of input or output
- and only then you have enough understanding to start picking functions to use
For solid overview of security basics in WordPress I recommend watching Theme & Plugin Security by Mark Jaquith.