What is the preferred order for escaping characters?

For instance in PHP environment:

1) shell -> database = return escapeshellcmd(mysqli_real_escape_string($string));?

2) database -> shell = return mysqli_real_escape_string(escapeshellcmd($string));?

3) No difference at all?

Update

Just to clarify, the website I’m currently trying to fix, contains a lot of old, deprecated functions, uses magic_quotes and is basicly, unusable after the transfer from old host to current one, where the problems arose.

First problem was MySQL escaping, that I fixed with mysql_real_escape_string();, but, still the problem with CLI/Socket MySQL connection environment persists. That is, when you have a value inside a textarea that refers to a UNIX command, preceded by a / – forward slash symbol and you post it- Apache results in 501 Method Not Implemented.

So yes, I have to escape mysql, and escape shell commands. But, the shell command escaping (with example no. 1 from original question) resulted in UTF-8 character braking and losing lots of needed HTML symbols.

The content that needs to be escaped comes out of an WYSIWYG editor (SPAW), therefore it contains lot of quotes and from time to time a UNIX command, that resembles our nations – Latvia – currency. “/ls”, where LS is the currency.

The website is updated by client itself, not a tech person and it has to stay that way- I mean, we cannot take over the content editing. Plus, while we could tell them not to use /ls the UNIX problem persists if, for example, they accidentally get to /mkdir what could resemble an identificator of something.

They are an active travel company, therefore this needs to be fixed ASAP. Since we overtook their website, they are aware that the system is broken, but they don’t have free money at the moment to spend on a new website/fixing current one. Where we have made a conclusion that fixing it would be harder, therefore more expensive than to move over to our CMS, but money is still money.

So, how do I escape shell and database commands from this WYSIWYG editor’s textarea, that is a single string, but, while preserving UTF-8 encoding of our Latvian alphabet letters – ā, š, č, ž etc.?

Maybe I don’t have to escape both, that’s why I’m asking.

Thanks in advance!

Update

On Shrapnels’ request, an example string (copied from SPAW’s HTML view) that would cause Apache to respond with 501:

<div>
    <span style="color: rgb(0, 0, 128); " class="Apple-style-span">
        <span style="font-size: 12px; " class="Apple-style-span">
            /ls
        </span>
    </span>
</div>

SPAW automatically adds all these dumb elements, and yes, if /<command> is inside the string, 501!

And that’s all what it takes to halt, just a namespace referring to a UNIX command line function. Like in this case /ls, but could be /rmdir, /mkdir etc. You could have 20000 symbol stuff there with no /ls and it’ll work. Once there is something like this – bam, dead!

There was originally a function that was meant to clear all the errors (at least I suppose so, it’s original name was – removeShit();):

$string = $_POST['wysiwyg_textarea']; // SPAW text area

function removeStuff($string){
    return str_replace('/wysiwyg/empty.html', '', $txt);
}

The file /wysiwyg/empty.html is 0 bytes- completely empty file.

But this doesn’t cure the mysql escaping and/or UNIX shell command recognition. Therefore, I need a fix to escape the UNIX commands and any MySQL harmful stuff.

So, I was trying to do it with:

return escapeshellcmd(mysqli_real_escape_string($string));

But this one strap out all the utf-8 characters, plus, all the new line symbols got converted to simple string “rn” from, I’d guess \r\n.

And now I’m looking for a function to escape MySQL and Shell cmd`s in one, because I cannot think of another way how to cure all this mess.