mysql_real_escape_string(htmlspecialchars( $value )); is enough? how can i easly improve it?

i'm using this in every $_get or $_post before acces or insert to my Database..

i'm sure it's not eno开发者_开发问答ugh.. but how safe is it? can i combine it with some expresion to make it safer?

thanks a lot!

so how about this? mysql_real_escape_string(htmlspecialchars( $value ));

No, that is not enough. You should use mysql_real_escape_string to prevent sql injection attacks.

mysql_escape_string($value) is a bit smarter when sanitizing strings that will be used in an SQL query.

You should use mysql_real_escape_string() to protect your database from injection attacks (or better yet, prepared statements with something like the PDO library) and htmlspecialchars() when you're displaying data pulled from a database.