I see there's lots of talk here about how to pull off cleaning data. Could it be as easy as adding this rewrite rule to .htaccess?

RewriteRule ^([\w\-]+)$ index.php?page=$1

To my understanding this can allow only letters, amounts, _ and - in $1, shall we be held right?

Should you add use of prepared claims for SQL queries, it ought to be pretty proof, is the fact that right?

In some way feels as though too easy to be real, shall we be held missing something, any methods to firm up?

Should you add use of prepared claims for SQL queries, it ought to be pretty proof, is the fact that right?

Not necessarily, since your rule is simply too strict for many use cases. Think for instance of Umlauts in string inputs. You will have to allow some non-ASCII figures for many inputs. Such information is percent encoded in Web addresses, so you would need to start blocking out certain figures, as well as that might be useless for security. You will find many, a lot more attack vectors than simply database injections.

For those individuals dangers, there's no "one-size-fits-allInch sanitation method. For each scenario (Use within file names in HTML output in Javascript output in E-Mails.....), there's one proper way. Blocking out "invalid" figures on web server level isn't practical - for perfect security, you would need to re-create all individuals specific sanitation functions in Apache syntax, that is hard.

See also: PHP: the ultimate clean/secure function

You might want to investigate using something similar to mod_security if you are attempting to things in the web server level. It can help mitigate some attacks - however the ultimate degree of defense must be done within PHP itself. There'll always be a panic attack that'll be considered "all rightInch through the web server, but cause chaos inside your application. Regardless of how you lock lower query parameters to avoid injection weaknesses, there will be something you skipped.

Why waste hrs/days of your energy approaching using the perfect RewriteRule when you are able just perform a simple mysql_real_escape_string() within PHP and catch everything immediately?