“Enough sanitization” thoroughly depends on what environment you’re talking about. Sanitization for MySQL should be considered entirely separate from sanitization for web output, and you should handle them separately to avoid a lot of hassle.

Sanitizing for MySQL

• mysql_real_escape_string() will sanitize a piece of data and make it safe to put inside an SQL query.
• Any other type of malicious data, such as HTML tags inside the string, should be absolutely ignored. Trying to manipulate it here will lead you to headaches as you try to “un-manipulate” it later after getting it out of the database. Bad “web data” cannot harm your database.

Sanitizing for output

• htmlspecialchars($val) at output time will prevent any malicious tags from being rendered, because < and > characters are converted into their entity representations and not rendered as tag delimiters.
• Use the ENT_QUOTES modifier if you are outputting something that is inside an HTML element’s quoted attribute, such as <input name="email" value="<?php echo htmlspecialchars($email,ENT_QUOTES); ?>" />

That should be all you need, unless you have special requirements. strip_tags() shouldn’t really be used for sanitization, as it can be fooled with badly formed HTML. Sanitization is a worthy goal, and if you can keep your contexts separate, you’ll run into fewer problems with data manipulation between them.