The third section is open to all non-numeric characters.
Is it possible to mysql inject or attack to browser client?
Is there a way to clean it; for better security? (I mean $matches[3])
Thanks
Your SQL should be prepared/escaped at the point where you create the query itself, regardless of whether you rewrite URLs or not. So no, URL rewriting is not the cause of, nor the appropriate solution to, SQL injection.