Ok, you "shouldn't" do this, since you shouldn't ever change the original raw data and you "should" store the raw data in the database as well.
That asside... i would rather use a "whitelist" instead of a "blacklist".
If you escape the data when you need to, you can often forget! However, if you have to unescape the data instead when you need to (rarely), the errors of not doing so when you forget are usually much much less! This is why i tend to:
- Iterate over the $POST, $GET, $REQUEST, $COOKIE, etc super globals (remember some may be multi dimention arrays if the forms name='dsdsa')
- Run htmlentities(..., ENT_QUOTES) followed by mysql_real_escape_string(). Make sure mysql escaping is AFTER htmlentities else you will suffer from double slashes!
- The data can now be safely shown on site OR used in the database! No need to remember to escape anything, instead, you just need to unescape it (reverse the order) on the few occassions that you need to (such as using variables in URLs). Also, data can instantly be shown from the database without needing to escape it first (because htmlentities was already run on it) to prevent attacks such as XSS.
Hope that helps.
P.S. If showing the data in URL's onsite you will need to unescape it, then use rawurlencode() instead.