Using prepared statements should guard you against sql injection, though it's still a good idea to validate the input, I would not encode it on input, as mentioned, trimming is not a bad idea.
What I would do is encode on output:-
<?php echo htmlspecialchars($row['data']); ?>
...to guard against any script injection to your site/app that may slip past the previous validation.
If you were to apply multiple functions on a value (probably not these ones) you must pass the result of the previous function to the next function, not the unchanged original value.
Otherwise, as per your code only the last function will be used, as
$data never changes and
$d is overwritten on each line.