I am doing a lot of CRUD (Create, Read, Update, Delete) on a site I am building for my company. I want to be sure and prevent both sql injection and XSS. I have been reading some books on the matter and found this bit of code. What do you think, good?

PHP Code:
<?php
$user  
mysql_entities_fix_string($_POST['user']);
$pass  mysql_entities_fix_string($_POST['pass']);

$query "SELECT * FROM users WHERE user='$user' AND pass='$pass'";

function 
mysql_entities_fix_string($string)
{
    return 
htmlentities(mysql_fix_string($string));
}    

function 
mysql_fix_string($string)
{
    if (
get_magic_quotes_gpc()) $string stripslashes($string);
    return 
mysql_real_escape_string($string);
}
?>
I have been looking over it for awhile and understand it for the most part, except, it refers to the variable $string. I don't see how the variable $string is at all referenced in:
PHP Code:
$user  mysql_entities_fix_string($_POST['user']);
$pass  mysql_entities_fix_string($_POST['pass']); 
Any help understanding how the variable $string is referenced would be appreciated.