It is better to have too many inspection checks and sanitation procedures than too few. The system is no more or less secure, adding redundancy. Ether is its vulnerability or not, its logical not Float. When I check the code and see redundant security measures, I think this is a red flag, and it encourages me to dig deeper. This programmer is paranoid and perhaps they do not understand the nature of vulnerabilities, although this is not always the case.
There is one more problem. htmlentities () does not always stop xss, for example, what if the output is in the <script></script> or even in href? mysql_real_escape_string does not always stop SQL injection, what if: 'select * from user where id='.mysql_real_escape_string($_GET[id]); . preg_match can fix this problem, but intval () is a much better function to use in this case.
I am a HUGE fan of prepared statements. I think this is a great approach, because by default it is safe, but it passes the mysql_real_escape_string () variable before the ready statement just messes up the data. I saw a beginner fix this problem by deleting all the verification procedures, thereby introducing a vulnerability due to redundancy. Cause and investigation.
Web Application Firewalls (WAFs) are a great example of how layers can enhance security. WAFs are heavily dependent on regular expressions. They try to look at the big picture and prevent unpleasant input, or at least register it. They are by no means a silver bullet and should not be the only security measure you use, but they really stop some of the exploits, and I recommend installing mod_security on production machines.