Your code is accomplshing absolutely nothing. Before you start worrying about writing “secure” code, you should learn basic coding. Walk before you try to run off a cliff.

1) magic_quotes has been deprecated for a LONG time, and has actually been removed from the latest PHP version. Writing in handlers for it as you are only helps to keep old/obsolete/insecure PHP versions alive.

2) You continually take $val, do something to it, then store the resulting new data into a variable. But you ALWAYS use the SAME source, and the SAME destination. So your mysql_real_escape_string is destroyed/overwritten by the htmlentities() call, which in turn is destroyed/overwritten by the htmlspecialchars() call. In effect, that entire chunk of code has the operational functionality of:

foreach ($values as $val => $key) {
    $values[$key] = htmlentities($val);
}

3) Don’t do an all-in-one security function. Sanitizing/securing data depends ENTIRELY on how you’re going to be using that “secured” data. There is absoulutely ZERO point in doing html transformations on data that will be stored in a database. Likewise, if you are never going to be allowing these “secured” values into a database, then there is no point in doing SQL escaping on them. All you’re doing is performing a sequence of operations that most likely will simply have to be undone again later on, because you weren’t targetting whatever environment that data was going to used for.

It’s a lot like putting on a rain coat, a parka, a sleeping bag, and a scuba diving rig,BEFORE deciding on whether you’re going outside or for a swim, or if it’s winter out.