Taking the topic back slightly: you certainly can store data that has been cleaned for XSS prior to inserting it. If that is your ruleset that is. Typically I recommend storing it as raw as it was provided, and dealing with the html quirks at runtime (during the selection process). But it all depends on your rules. if you allow someone to have a username that is <Script>, then you don't really want to not store it in its entirety. Simply use HTML entities during the display process instead. Bring the concept of the datastorage up from being a web thing to being a data thing. If I want to print reports instead of displaying in HTML, then the meaning of the characters will change, so I'd suggest keeping them raw is the best solution for cross usage.
MySQL should actually perform a slight bit better than MySQLi I would expect. Although it is lacking most of what makes MySQLi so awesome, so I wouldn't suggest that the trivial performance difference should be considered as a weighing factor in which you choose (ie: choose MySQLi from the two
). I haven't read anything official on removal of MySQL support (at least I don't think I have. . .), and its not listed as deprecated as of yet. But no I wouldn't be surprised if it just ups and disappears on 6.0 release.