Any input should be filtered and validated. If any of it is to be printed to the page, it should be escaped.
So if you are using $_GET to get URL variables, you must decide what values you are willing to accept, number only, text only or just specific characters or words.
How you do that will depend on what type of data you want to accept, but preg_replcace can be useful for stripping out unwanted characters.