The data validation is so you can display a nice error message. To protect the database, you need to use prepared statements instead of mysql_really_really_try_hard_to_quote_the_string_or_something.
In the particular case of integer ids, however, can't you just make sure what's being passed is an integer? Similarly, for a 'simple' username, check against "^[a-zA-Z0-9]+$"?
Casting the ID to an int (like you should do) will make any non-numeric strings into 0. If your ID is 0 you can assume an attack and give such a message. With PHP you should be using mysqli_ functions instead of mysql_ variants as they protect against multiple queries executing in one mysqli_query() call.
I do agree prepared statements are the way to go at least 90% of the time.