everyone has their own coding style, but here's how I'd approach this:

1) I usually put functions inside a class. so typically I wouldn't call function_name($args), instead I'd do:

$obj = new ClassName();
$obj->function_name($args);

or if the function is "public static", I'll call ClassName::function_name($arg);

Classing keeps the global namespace clear and prevents accidental clobbering, ie if you happen to define two functions with the same name. PHP5+ is a fully object-oriented language, and it's good to learn how to employ it. It will improve your code. Trust me.

2) I *always* scrub data as I'm constructing the SQL query. Nowhere else. for example:

function Update($id, $var) {

// make sure the $id is numeric
if (!is_numeric($id)){return false;}

// do something to the data
$var = strtolower($var);

// build the query
$query = "update tablename set column = '".mysql_real_escape_string($var)."' where id = ".$id;

// execute it
$success = mysql_query($query);

return $success;
}

You should not expect that the input to a function will be SQL-escaped.

When you follow this practice, you can be 100% certain that all your SQL queries do proper escaping to prevent SQL injection, because you can look for all the places you've created a $query, and make sure that all strings are being real_escaped.


3) bonus tip

don't save escaped data into your database, like url-encoded or html-encoded or with extra slashes. Make sure the data is "raw" when it's written. Then later when you SELECT it, you can escape it appropriately - htmlspecialchars() if you're outputting XML/HTML, addslashes() for JSON, mysql_real_escape_string() if you're putting it back into SQL, etc.

the only time I store HTML encoded stuff in a database is if it's actually HTML, like something someone has marked up as text content

BTW, someone could pwn that function of yours if $section isn't numeric

That makes sense. I'll research classes.

Thanks for the tips!