How do you sanitize your data?

Question

This is the function I currently use (from a PHP book I bought):

function escape($data) {
    return mysql_real_escape_string(trim($data), $this->linkid);    
}

But I feel like it could be safer. for example, maybe use htmlspecialchars(). It always makes me paranoid. I've read that mysql_real_escape_string() is bad and never to use it, but then I've also read it's the best way. Lots of confusion regarding data sanitizing when inserting them to the database.

So how do you do it? and what are the pros and cons of the way you do it.

Answer 1

You're talking about two different types of escaping.

mysql_real_escape_string() escapes data so it'll be safe to send to MySQL.

htmlspecialchars() escapes data so it'll be safe to send to something that renders HTML.

Both work fine for their respective purposes, but parameterized queries via something like mysqli are quite a bit neater.