[eluser]Scott Severance[/eluser]
The easiest thing would be to use a regex to check against a list of
allowed characters. Something like this might do the trick:
Code:
$re = '^[a-zA-Z0-9.,+_~@-]*$';
If you properly escape all your data (CI's database functions do this), then I don't think that SQL injection is possible. If you dump URL data to the page, be sure to filter it so that someone can't insert a tag. I do a case-insensitive search for '<script' and send an appropriate HTTP error if it's found (something like 404 Not Found, 403 Forbidden, or 400 Bad Request).
The other consideration when it comes to valid URLs is if you're using characters that are allowed in URLs. I'm not sure what those are, but a single quote
might cause problems. But, probably it won't.