<?php
function xsssql($dirty){
	if (get_magic_quotes_gpc()) {
		$clean = mysql_real_escape_string(stripslashes($dirty));	 
	}else{
		$clean = mysql_real_escape_string($dirty);	
	} 
	return htmlentities($clean);
}
// hot to use:
$user=$_GET['user'];
$query="SELECT * FROM users WHERE user='".xsssql($user)."'";
?>