Web Security

Well, that depends on the platform you used e.g. wordpress, drupal, etc, as they all have their specific vulnerabilities. Then there is the database you use and what vulnerabilities it has. Those are vulnerabilities you can't do much about yourself apart from applying patches/fixes as they become available and keeping up to date on latest versions.
From a coding point of view you should have parameterised queries to the database, be parsing all user input regardless of the source and making sure (or at least trying) that cross-site scripting attacks are blocked.
You should enforce strong password polices for all users, particularly admin and development people that access the server directly.
And then you've got hardware to worry about, denial of service attacks, etc.
It's not easy and is a pretty big field in its own right.

in terms of coding, is it enough just to filter the query to the database ??

Filtering the query goes a long way to protecting yourself but you should also enforce strong passwords and the like.
Also consider that sometimes an attack will happen in which case you need to consider recovery rather than prevention. Make sure you regularly back up everything essential so if needed to can roll back and lose very little data.