this is not secure at all, because htmlspecialchars is for escaping HTML
characters (just like the name says). What you need to do is escape chracters that have a special meaning in SQL
. Those are two completely different things. All your function will do is mess up the strings.
In fact, you should forget the idea of a magic allround escaping function that takes care of everything. This doesn't work. Filtering input depends on the specific context and requires specific precautions. So do not just apply a function to all input. Instead, escape the input specifically for the particular context.
When you use the old mysql_ functions, this would look like this:
$sql = "
`email` = '" . mysql_real_escape_string($_POST['email']) . "'
Note that it's not always enough to escape special characters. Sometimes you need to do additional things (like the quotes for SQL values). And sometimes all escaping doesn't help (like when you insert user input in a <script> element).
The best approach, however, is to completely separate code and data. In SQL, you can do this with prepared statements (as provided by the Mysqli library or the PDO interface).