URL安全性

为了URL的安全性，我做了以下功能。我只是想知道是否有什么我需要重新考虑或更改下面的代码。在阅读了关于各种来源的安全性的文章之后，我已经完成了这个功能。 这是功能：

// filters possible malacious stuff from URLs
private function filter_url($url)
{
  if (is_array($url))
  {
    foreach($url as $key => $value)
    {
        // recurssion
        $url[$key] = filter_url($value);
    }
return $url;
}
else
{
    // Allow only one ? in URLs
    $total_question_marks = substr_count($url, '?');
if ($total_question_marks >= 2)
    {
        exit('You can not use 2 question marks (?) in URLs for security reasons!!');
    }
// decode URLs
    $url = rawurldecode($url);
    $url = urldecode($url);
    // remove bad stuff
    $url = str_replace('../', '', $url);
    $url = str_replace('..\\', '', $url);
    $url = str_replace('..%5C', '', $url);
    $url = str_replace('%00', '', $url);
    $url = str_ireplace('http', '', $url);
    $url = str_ireplace('https', '', $url);
    $url = str_ireplace('ftp', '', $url);
    $url = str_ireplace('smb', '', $url);
    $url = str_replace('://', '', $url);
    $url = str_replace(':\\\\', '', $url);
    $url = str_replace(array('<', '>'), array('&lt;', '&gt;'), $url);
// Allow only a-zA-Z0-9_/.-?=&
    $url = preg_replace("/[^a-zA-Z0-9_\-\/\.\?=&]+/", "", $url);
//print $url;
    return $url;
  }
}

$_GET = filter_url($_GET);

$_SERVER['QUERY_STRING'] = filter_url($_SERVER['QUERY_STRING']);