安全表单输入需要哪些功能？

First you need to be clear about hat for you like to sanitize.

Because you use allready prepared statements there is no need for: mysql_real_escape_string()

If you like to deny you users the use of html, to avoid XSS you should perhaps use strip_tags()

To secure your html display agains not printable characters htmlentities() But in times of UTF-8 its a little obsolet.

For password input it can be used trim() because it helps if youser copys passwords with leading / attached space. Because outlook add spaces. But not everybody think this is an good idea, to trim passwords.

Depends on your Templating system it could be an good idea to use addslashes() for pre defined input values like

<input type="text" value="<?php addslashes($value); ?>" />

because it could be possible to do:

my value " /><script>evil things</script><

To have some kind of XSS in autocomplete forms.

In a few words:

1. When you add your data to database - use PDO's prepared statements with placeholders. That's it, nothing else is required.

2. When you output something from anywhere on the html page - you need to perform htmlspecialchars($string, ENT_QUOTES, 'UTF-8');, where the $string is the string you want to output in a "safe" manner.