A PHP function to prevent SQL Injections and XSS

Question

I am tring to make my PHP as secure as possible, and the two main things I am trying to avoid are

• mySQL Injections
• Cross-Side Scripting (XSS)

Answer 1

mysql_real_escape_string() doesn't prevent XSS. It will only make impossible to do SQL injections.

To fight XSS, you need to use htmlspecialchars() or strip_tags(). 1st will convert special chars like < to < that will show up as <, but won't be executed. 2nd just strip all tags out.

I don't recommend to make special function to do it or even make one function to do it all, but your given example would work. I assume.