I finally got mod rewrite working as I wanted: RewriteRule ^([A-Za-z0-9]+)/?$ whatever.php?foo=$1 PHP: to tidy up some ugly urls. Is the regular expression "([A-Za-z0-9]+)" sufficient to strip out dangerous 'injection hack'-type characters? I do use the value of foo in that query string as part of my database query. What would you folks recommend? Thanks!
You should not use mod_rewrite to protect your scripts. The original URL will only be overwritten if it matches the pattern. Your pattern only allows alphanumeric characters. That means if the user enters "dangerous" characters the URL will simply not be overwritten, and a 404 error would be thrown. Validate all your input in your php scripts. THAT makes your script safe.