You should send it through mysql_escape_string() first.

Take a look at urlencode() and str_replace() if you want to also handle spaces, carriage returns, line feeds, etc differently. Depends on exactly what you want the code to handle, and what you want done with it.