enough checks/validation for url variable passed to php script in url?

I'm creating a script on my main server and will use js/html to call it as an image source, passing the current tumblr page's referrer variable so I can integr开发者_StackOverflowate my blog's stats into my main stat-tracking db.

Anyone who looks at the source, of course, will be able to see that this script can accept a url variable via get. I'm not much of a security wonk, but I'm using the following checks on the input to this var, currently:

$previous_referrer = htmlspecialchars($_GET['ref']);
if (filter_var($previous_referrer, FILTER_VALIDATE_URL) && strpos($_SERVER['HTTP_REFERER'], $tumblelog_url)!== FALSE)

I'm guessing it isn't this simple. What other checks should perform to lock it down against injection attacks?

For inserting data safely in a database :

1) Before inserting in DB

Filter data :

• Does my data had the expected type/patern (email,url ....)

The main purpose of filtering in first is to avoid processing useless data

Prevent from sql injection :

• if inserting a number use function like intval(),floatval()
• if inserting string use function like mysql_real_escape_string (for mysql only) or prepared statement.

2) After insertion , before display

Prevent Xss by using function like htmlspecialchars() or htmlentites().