I usually use this for example: $**** = preg_replace('/[^0-9a-zA-Z_]/',NULL,$_GET['****']);
It filters all characters I didn't specificly allow. I can stop pretty much all script injections that way, but it depends if you wanne allow some special characters anyway. Using preg_replace to filter out a series of characters is tricky and I'd recommend finding another way to do that. I dunno if the example applies here but if you enter ".../...//" and you filter "../", what remains is "../". Also be for damn sure you use the quotes right in the sql queries.