Actually, URLs can only contain 73 different characters:
- Uppercase letters (26)
- Lowercase letters (26)
- Numbers (10)
- These special characters: $-_.+!*'(), (11)
So stripping out anything else will go a long way to helping avoid cross-site scripting attacks. SQL injection attacks are mitigated by properly escaping strings before putting them into a SQL query -- most languages will provide a wrapper for MySQL's internal string escaping function, or use prepared statements which take care of it automatically.