The ultimate clean/secure function

Question

I have a lot of user inputs from $_GET and $_POST... At the moment I always write mysql_real_escape_string($_GET[\'var\'])..

I

Answer 1

There is no point in simply passing the input through all these functions. All these functions have different meanings. Data doesn't get "cleaner" by calling more escape-functions.

If you want to store user input in MySQL you need to use only mysql_real_escape_string. It is then fully escaped to store safely in the database.

EDIT

Also note the problems that arise with using the other functions. If the client sends for instance a username to the server, and the username contains an ampersand (&), you don;t want to have called htmlentities before storing it in the database because then the username in the database will contain &.