Heh. All you'll ever really need is:
...
^ for when you only want letters and numbers
...
^ When entering a variable value into an SQL query
...
^ When displaying it on a page
... that's all there really is to it. Dunno why some people go way over the top with billions of security checks. If you don't want non-alphanumerical, then don't allow it. If you are using PHP with SQL, add and strip slashes. And always make sure what the user requests is actually available. That's really all you need :S If you DO want to allow non-alphanumerical, just remember to disallow HTML special characters:
...
.. or a variant of that.