php - Prevent XSS Attack and encode correctly characters -

i have function prevent sql injection excellent function, function in prevent attacks begin showing problems characters

the word "controle de finanças" in var_dump see string(31) "controle de finan&atilde&sectas"

i´m trying methods , failing 2 days please me

function anti_sql_injection($string){          if(ini_get('magic_quotes_gpc') == 'off'){             $string = addslashes($string);          }            $string = htmlentities($string, ent_quotes);         $codes = array("script","java","applet","iframe","meta","object","html","concat","char","floor","rand", "<", ">", ";", "'","%");          $string = str_replace($codes,"",$string);          return $string;  } 

try this;

function anti_sql_injection($string){     if(ini_get('magic_quotes_gpc') == 'off') {         $string = addslashes($string);     }      $string = htmlspecialchars($string, ent_quotes,"utf-8");     $codes = array("script","java","applet","iframe","meta","object","html","concat","char","floor","rand", "<", ">", ";", "'","%");      $string = str_replace($codes,"",$string);      return $string; } 

i tell pdo. has built-in sql injection via prepared statements. check out this tutorial start pdo. know kinda old still valid , explained.