Possible Duplicate:
Best way to stop SQL Injection in PHP
The ultimate clean/secure function

My website was attacked via sql injection and now I need to improve it. I'm creating a function in PHP escape(), that returns the escaped version of a string. I'm not a hacker so please help me to improve my escape function. Here is the current version:

function escape($string){

    $string = stripslashes($string);
    $string = mysql_real_escape_string($string);
    $string = strip_tags($string);
    $string = str_replace('%','',$string);
    $string = str_replace('_','',$string);

    return $string;

}

My question is: is this hackable, if it is than how to fix it? Thanks!

this function has absolutely nothing to do with safety.
it's barely protects you from some kinds of XSS injections. that's all.