What for do you use this
htmlentities stuff etc.? Do you expect the user to send this, or do you provide any information that includes HTML that is send back? If you want to be protected from a user faking the input, that’s the wrong method that not necessarily will remove every invalid character. As the manual states:
The query string.
Data inside the query should be properly escaped.
which leads you to the following function.
But it’s easier to use Prepared Statements. With PDO it’s a simple task:
$pdo = new PDO('dsn, username etc.');
$select = $pdo->prepare("SELECT user, pin FROM pin WHERE pin = ?");
$pis = $select->fetchAll();