Here is my full-proof function that will keep you out of trouble 
Code: Select all
function sanitize($var)
{
	return addslashes (htmlentities (prepreq(utf8_decode ($var)), ENT_QUOTES));
}
Now there is function there called 
prepreq that you will not recognize. Here it is:
Code: Select all
function prepreq($var)
{
	return isset ($_REQUEST [$var]) ? $_REQUEST [$var] : "";
}
Now that is for form, i use 
_REQUEST to save time on who post and who get and to avoid errors that some of those functions will output if no argument is provided.
For passed strings that you my need this (Well is paranoia but ...)
Code: Select all
function sanitizestr($var)
{
	return addslashes (htmlentities (utf8_decode($var), ENT_QUOTES));
}
Use them but google about those function to proper understand this functions