Both, but it is important to understand the purpose of both validation and escaping.
Validation means checking if the values are logically valid, if you expect a number but you get a string, or an array, or a number that is negative, or too high... etc. This is the domain of your "business logic". You and your application's needs dictate what is a "valid" data.
Escaping is making sure values are values and not interpreted as other syntax elements in SQL, HTML, etc.
As such, validation is not a part of your security code, it's part of your application logic. It prevents bugs, not security exploits.
<rant>
Actually, my "unique theorizer" position

mandates me to say that escaping can be viewed in the same way, not a security measure, but simply bug prevention. I abhor all bugs, and as such I am entitled to that view

On the other hand, security bugs can be way more severe than "regular" bugs, so it's healthy to draw a line between normal bugs and security bugs and say to yourself "I may ship a buggy software, but at least they won't be security bugs".
</rant>