HTML strip
after getting rid of HTML from database, we should also process all the inputs not just for SQL injection but also for script injection and strip_tags
from all the $_[POST,GET,REQUEST]
https://www.php.net/manual/en/function.strip-tags.php
viz /inc/database.php