which should I use in what situation?
- htmlentities(). never use it, but
htmlspecialchars(). For printing untrusted user input into browser.
- mysql_real_escape_string is mysql database specific function. here is a comprehensive guide I wrote exactly on topic where to use it and where not and what else you need to know on mysql database security
- addslashes(). it depends. most of time you just don't need it at all
