There's 2 sides to this question.
First off: yes of course, if there's no way to 'break out of context' you're eliminating all chances of both XSS and SQL injection exploits. It's impossible to insert either JS or SQL if you can only use alphabetic characters.
Second: it's of course not a real protection, akin to never driving a car again as a failsafe method not to get in accidents. One day or another you are going to have input forms on your site which require other characters to be inserted, and you're going to be screwed. Just writing your code to be fundamentally safe, never trust client input, and properly escape all HTML generated by your code is in the end the only safe route.
What you're trying to do is solve an output problem on the input end, which just doesn't work. If you have arbitrary user input, you'll eventually have people trying to abuse it to do nasty things. Learn how to escape it properly on the output end, use a template system like Twig for output that handles most XSS problems inherently, and use a DAL/ORM like Doctrine or a good parametrized database access API like MySQLi or PDO to avoid SQL injection.