Is Preventing Xss and SQL Injection as Easy as Does This

Prevent SQL injection and XSS attacks

You shouldn't be trying to "brute force" security like this - layering all of these different filters/escapes one after another on every piece of data is silly and may actually make the escaping not work as intended.

This is because the kinds of characters that are added for one kind of escaping may be removed by another. You may also end up with over-escaping.

Instead, you should use the escaping function that is specifiy for what you are actually trying to do:

Before you put values into a SQL query, run them through mysqli_real_escape_string() (or better yet, use prepared statements via MySQLi/PDO).
Before you echo values out to a HTML response, run them through HTML escaping and/or XSS cleaning.
Etc.

How to prevent against XSS and SQL injection

As mentioned, prepared statements are one of the best ways to prevent SQL injections. i.e., you shouldn't add your parameters as part of the final query string. You should use parameter placeholders, and add the parameters via a key/value array.

If you're using PDO, have a look at this page, which describes prepared statements in greater detail:

http://php.net/manual/en/pdo.prepared-statements.php

A quite thorough explanation of PHP's input filters (and a good article on sanitization) can be found here:

http://coding.smashingmagazine.com/2011/01/11/keeping-web-users-safe-by-sanitizing-input-data/

Check here for PHP's own filters/sanitization functions:

http://www.php.net/manual/en/filter.filters.php

You are probably interested in the filter_var and filter_input functions:

http://www.php.net/manual/en/function.filter-var.php
http://www.php.net/manual/en/function.filter-input.php

Also, this question has some good pointers:
What's the best method for sanitizing user input with PHP?

This question has very good pointers too:
What are the best PHP input sanitizing functions?

Is sql injection and cross-site scripting still a thing?

I'll tell a story.

My mother used to volunteer with a group to go to the local college campus to help students register to vote (in the US, people can vote at age 18, but they aren't registered by default, they have to fill out a form). She and her group would set up a table in the quad with a supply of forms and guide the students to fill it out and mail it in.

After years of doing this, one of the other women in the group said, "We've been coming onto campus to help these kids register for TEN YEARS! When are they going to be able to do it on their own?"

My mom and the others looked at her and said slowly, "There is a new set of students turning 18 years old every year."

The same thing is true for defense against SQL injection and Cross-Site Scripting. There are new programmers entering the profession every year.

In fact, studies show that the number of software developers doubles every five years, which means at any given time, 50% of software developers are what I would consider "junior developers" with less than five years of experience. By the time those people have become senior developers, there's again just as many younger developers who have entered the profession after them.

All of them need to be trained to understand SQL injection and Cross-Site Scripting defense before they should be allowed to put their code on a live server.

One at a time.

Every year.

SQL injection and Cross-Site scripting will continue to be a thing as long as there are software developers.

I also can reference the SQLi Hall-of-Shame, a web page that references news stories about data breaches perpetrated by exploiting SQL injection vulnerabilities. The seem to be multiple such stories every month, and these are just the break-ins that made the news. It's undoubtedly the tip of the iceberg.

Are there global setting prevent the sql injection and XSS ? (ASP.NET)

The best way to prevent SQL injection is: use parameters. Anything else is just a "maybe it'll prevent some attacks" arms race against people who can simply reflect (disassemble) the implementation to see what might make it past.

Xss is likewise best prevented by correctly encoding your outputs. Both aspx and razor make this easy.

does XSS filtering in codeigniter doesn't prevent SQL injections?

First of all, both topics are not specific to CodeIgniter.
But CodeIgniter has specific way to handle some of this. Please read https://ellislab.com/codeigniter/user-guide/general/security.html

Remember that CodeIgniter will not save you from any of these and you must understand how both of these attacks works.

It is important to understand these are two different attacks, as with any attacks, they could be coupled together. For example using a XSS/CSRF to perform a SQL injection via. a crafted link to a administrator or etc.

XSS is when the attacker can inject code to be executed on the clientside. For example placing a <script> tag in your code. This often happens if you output data which the user has provided without sanitizing it or validating it. Typically this could be their username, a post title, $_GET data and etc. There are alot more ways to get a script executed on the clientside other than a script tag, so make sure to read up on the subject.
To avoid it, always escape user inputted data, from any source.
You can read more about it https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

SQL injection is when the attacker can change the SQL query for a malicious purpose. The most common way to avoid injection is to make sure to escape every input, before passing it to a query. Using prepared statement also helps alot. In CodeIgniter, you often use the "ActiveRecord" db thing, which escapes the input for you.
You can read more about it, including examples https://www.owasp.org/index.php/SQL_Injection

You should also read https://www.owasp.org/index.php/Top_10_2013-Top_10 and become familiar with the most common attacks.

Mysqli - Are parameterized queries enough for preventing XSS second order attacks?

Nope.

A parametrized query protects against SQL Injection; that is it ensures query parameters are well formed and correctly escaped prior to processing by the SQL back end.

XSS is a different class of problem whereby input should be sanitized of HTML markup; given that a correctly parametrized SQL value can still contain markup, you need additional encoding (E.g. htmlspecialchars()).