For a secure url query, what is more secure? filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) or htmlentities ?
What are you defending against? A vulnerability is highly dependent on how the data is being used. Its impossible to create 1 function call that protects against everything, and mixing protection systems (like xss and sql injection) is a very bad idea.
For XSS you should use: htmlspecialchars($var, ENT_QUOTES);
For Sql Injection in mysql you should use mysql_real_escape_string($var);
If you are passing user input to system() or another similar function then you should use escapeshellarg($var);
These are the top 3 and mixing these will cause nothing but problems.
The first one is clearly designed for such a purpose.