It should be noted…

It should be noted that:

$catstring = preg_replace("#[^a-zA-Z0-9s/-_]#",'',$catstring);

does not equal:

$catstring = preg_replace("#[^a-zA-Z0-9s/-_]#",'',$catstring);

especially if it’s important to maintain the “-“ character in a string.

Funny how a single unescaped pattern match can break all kinds of navigation in one’s web application.