'Filter in, escape out'. If you haven't read it yet I'd suggest you look into Shiflett's
Essential PHP Security: old, but clear, and still very relevant.
Regarding your implementation: I'd use PDO (
http://php.net/manual/en/book.pdo.php), specifically '$prepared_statement = $pdo->prepare();' on all products going into the DB (filter in, to avoid people messing with your db). Then use htmlentities() on all the stuff I put on the frontend HTML (escape out, avoiding all kinds of headaches). This should take care of 99% of hackers/crackers, at least for products, if you don't (or may not in the future) have full control over what goes into them (e.g., APIs from other sites).
You might also want to '$all_products = $prepared_statement->fetchAll();', then work from $all_products (a PHP array, so you don't have to make so many connections to the DB). And you could give e.g., 25 products at a time, if you've got a lot of them.