I am trying to secure my site so I don't have sql injections and xss scripting. Here's my code.

//here's the from, for brevity, i just show a field for users to put firstname
<form>
<label for="first_name" class="styled">First Name:</label>
<input type="text" id="first_name" name="first_name" value="<?php if (!empty($first_name)) echo $first_name; ?>" /><br />

//submit button etc
</form>


if (isset($_POST['submit'])) {

 //gets rid of extra whitesapce and escapes
 $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name']));

 //check if $first_name is a string
 if(!is_string($first_name)
 { 
 echo "not string"; 
 }

 //then insert into the database. 
 .......

}

mysqli_real_espace_string: I know that this func escapes certain letters like \n \r, so when the data gets inputted into the dbc, it would have '\' next to all the escaped letters?

--Will this script be enough to prevent most sql injections? just escaping and checking if the data is a string. For integers values(like users putting in prices), i just: is_numeric().

--How should I use htmlspecialchars? Should I use it only when echoing and displaying user data? Or should I also use this too when inputting data to a dbc?

--When should I use strip_tags() or htmlspecialchars?

SOO with all these function...

if (isset($_POST['submit'])) {

 //gets rid of extra whitesapce and escapes
 $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name']));

 //check if $first_name is a string
 if(!is_string($first_name)
 { 
 echo "not string"; 
 }

 //gets rid of any <,>,&
 htmlspecialchars($first_name);

 //strips any tags with the first name
 strip_tags($first_name)

 //then insert into the database. 
 .......

}

Which funcs should I use for sql injections and which ones should I use for xss?