As with all user input, you will want to sanitize before storing the input, sanitize on display, and sanitize any user input used in queries. If you’re limiting it strictly to emojis, I would also recommend validating and restricting input to only emojis.
- PHP SQL Injection
- Use Prepared Statements for SQL Injection Prevention
- Use htmlspecialchars or htmlentities for XSS Prevention. Make sure your default_charset is set correctly, or specify the charset.