Securing user inputs for database

PHP
1

I get input from user through a form and then process.
For example,
Method 1:

if $_POST[\\'submit\\']{
$title = $_POST[\\'title\\'];
$message = $_POST[\\'message\\'];

send_message($title, $message);
}

Now


function send_message($title, $message){
$t= secure($title);
$m = secure($message);

---
--
}

Method 2:

if $_POST[\\'submit\\']{

$title = secure($_POST[\\'title\\']);
$message = secure($_POST[\\'message\\']);

send_message($title, $message);
}

function send_message($title, $message){
//No need to secure here as its already done.
}

Please note that i did not secure the input, i sent the input as the user submitted it. I will secure it in the send_message function before i insert to database.
So my question is that, is there any security risk by passing the inputs in a function as above?

Should i secure the inputs before i call the send_message function?
Which of the method is better?

2

As a side note, you do realize that the backslash character (\) escapes the quotes you’re placing around the array index in POST, right? (\‘title\’)

That’s actually slower, and a poorer way of doing it. You should take the backslashes out.

3

Why not just use mysql_real_escape_string()?

It escapes the user inputted data before adding it to the DB. The best way to go about it, unless you plan on using prepared statements.

4

I would do the secure in the send_message function…

However if you use prepared statements with PDO there is no need to do additional securing in most cases…

The secure function, what does it do, “addslashes” or “mysql_real_escapestring” or such…?