secure form data for mysql

I have been using:

if ($_POST['Comments']!=""){
  $comments = mysql_real_escape_string($_POST['Comments']);
}else{
  $comments = "";
}

ever since a user added and apostraphy to their data and it broke my sql statement. I thought this also secured the data at the same time. But just now I got a submission and in the comment field in the database I see:

 /r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r
<a href="http://seowebsite.com">seohelp</a>

And the ema开发者_高级运维il I get when someone submits had the text with the links actually working.

I thought mysql_real_escape_string() was supposed to get rid of all that?

Any suggestions? I was thinking of doing a function that does all the string cleaning for me in a few different steps. But if there is a way to secure in just one step that would be great.

mysql_real_escape_string() only protects^* you against SQL Injection, not against Cross-Site Scripting (XSS).

_{^* mysql_real_escape_string() doesn't behave properly when used in conjunction with SET NAMES because it is unaware of the charset being used. Use mysql_set_charset() instead.}

In order to protect yourself against XSS, you must also use htmlentities() or htmlspecialchars() either at insert time (before mysql_real_escape_string()) or at display time.

$escaped = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

If you want to allow some HTML content, use HTML Purifier with a whitelist of elements and attributes you want to allow.