Security in dynamically generated queries

Hello everyone!

I am developing a script that uses dynamically generated queries based on user input however those fields can be modified using a tool such as firebug and would like to know if someone can tell me if I am doing things the right way or if there is a way to sanitize the queries in a better way, basically for all fields in the form the values are limited so I make sure that the passed value is in an array of accepted values otherwise the query is stopped but there is a field where the user can enter text to search for and that cannot be limited to certain values the way I did with the rest of the fields so I am using mysql_real_escape_string only basically for the text field I do the following

if ( $delimiters['filterword'] != null ){	
		$delimiters['filterword'] = mysql_real_escape_string ( $delimiters['filterword'] );
		$query .= $where . 'title LIKE "%' . $delimiters['filterword'] . '%"';
		$query2 .= $where . 'title LIKE "%' . $delimiters['filterword'] . '%"';

And for the rest of the fileds where the values are limited to an expected value I do this

if ( ( int ) $delimiters['lang'] != 0 ){
		if ( in_array ( $delimiters['lang'], $expectedValues, true ) === false )
			die ( $err );
		$query .= $where . $and . ' language = "' . $delimiters['lang'] . '"';
		$query2 .= $where . $and . ' language = "' . $delimiters['lang'] . '"';

Is this a good way of doing it or should I be sanitizing the data some other way?

That’s good. You may as well escape all string input - even if they’re in a pre-set list of yours. You may add some later with a character which needs to be escaped and it could take some time to track down the problem when it comes up.

And any input you expect to be an integer, cast to int, float cast to float, etc.

Thank you for the input