function protect_from_xss_and_sqli($var) {
	foreach($var as $key=>$value) {
		if(is_array($value)) {
			$var[$key] = protect_from_xss_and_sqli($value);
		} else {
			$var[$key] = htmlspecialchars($value); // XSS
			$var[$key] = mysql_real_escape_string($value); // SQLi
		}
	}
	return $var;
}

$_POST = protect_from_xss_and_sqli($_POST);