I’m working on some code and I am trying to make sure all the incoming data is secure. I currently call mysql_real_escape_string() on all incoming data, but I am wondering if it would be worth my while to call htmlspecialchars() on it as well. Does anyone else have any good tips on un-tainting user data.