Reading this post first may be helpful!
Remove default PHP escaping and apply your own at runtime. This way you are safe at client’s setting of magic quote in their php.ini.
PHP has default escaping functionality. It escapes all incoming data.
It is preferred not to use default magic quote ‘On’ in PHP. In PHP 6.0.0 it will [...]

Minimum solution to php website security is initializing variable before use, plus filter input and escape output