Sanitize $_GET parameters to avoid XSS and other attacks

Question

I have a website in php that does include() to embed the content into a template. The page to load is given in a get parameter, I add \".php\" to the end of the parameter an

Answer 1

$page = preg_replace('/[^-a-zA-Z0-9_]/', '', $_GET['page']);

Is probably the quickest way to sanitize this, this will take anything and make sure that it only contains letters, numbers, underscores or dashes.