If I am retrieving data with $_GET from the URL string and not displaying that data back on a webpage or doing any SQL actions with it, should I still consider using escape, regular expression and other security code? The string could contain any char.
Hope that makes sense.
if you are not outputting the string or passing it to another program (sql, open file, …) you don't need to escape it.
If you are not using the URL param in a SQL statement it can not be used as a SQL injection.