Db security for link submission site

What’s the best way to minimize potential risks like sql injection attacks, when site visitors add a link that goes directly into the database?

I can’t just block all the characters since too many websites have all sorts of characters in their links. Do I just delete some that never seem to be used like quotes, etc.

Actually, URLs can only contain 73 different characters:

  • Uppercase letters (26)
  • Lowercase letters (26)
  • Numbers (10)
  • These special characters: $-_.+!*'(), (11)

So stripping out anything else will go a long way to helping avoid cross-site scripting attacks. SQL injection attacks are mitigated by properly escaping strings before putting them into a SQL query – most languages will provide a wrapper for MySQL’s internal string escaping function, or use prepared statements which take care of it automatically.