The way i prefer to do things is to check all data that can be inputted via GET/POST.

The way i do this is create a class that will recursively check the inputted userdata before we use anywhere within application.

A simple class can do this, taking into note the class below is an example, and is only for informational purposes.

PHP Code: 
class Input
{
    var $get,$post,$cookie//Cleaned (Not DB)
    var $_get,$_post,$_cookie//Uncleaned / RAW

    function __construct()
    {
         $this->clean();
    }

    private function clean()
    {
         //Keep the raw stuff in there designated variables.
         $_get $_GET;
         $_post $_POST;
         $_cookie $_COOKIE;
   
         //Clean them and assign the data to the designated variables;
         $get $this->escape($_GET);
         $post $this->escape($_POST);
         $cookie $this->escape($_COOKIE);
    }

    public function __get($type)
    {
        return isset($this->{$type}) ? $this->{$type} : array(); // usage: $input->get->some_key
    }

    public function escape($var)
    {
         $return = array();
         foreach($var as $key => $val)
         {
              if(is_array($val))
              {
                   $return[$key] = $this->escape($val);
              }else
              {
                   $return[$key] = htmlentities($val); //MORE WORK HERE
              }
         }
         return $return//Return it;
    }
so from now on if you use this class to get your GET/POST/COOKIE Vars, all the values are pretty safe, altho you still need to use a Database Escape Fuction. Read El_j's thread above.

Doing your escaping this way reduces the amount of code you need to write as its all done for you,

Peace