not so much sandboxing, but sanitizing. A good sanitizing algorithm will eliminate the possibility of SQL injection, as one example...
my favorite is to look for ';' and '/' (or quotes, or path starts with '..' etc. - or SQL keywords if that's at issue) and just reject things outright that contain these characters/sequences. Others also exist. simple test. PHP script has some other built-ins as well.
the only reason you would NOT want to do everything server-side is performance latency [when the server is across the world, let's say, or the bandwidth stinks]