Do I need mysqli->real_escape_string after filter url?

Do I need mysqli->real_escape_string after filter url?

I'm asking this question because I'm still not quite sure if filter $_GET
variable is enough to prevent mysql injection, so at first I have a filter
function
function filter_url($url)
{
if (is_array($url))
{
foreach ($url as $key => $value)
{
// recurssion
$url[$key] = filter_url($value);
}
return $url;
}
else
{
// remove everything except for a-ZA-Z0-9_.-&=
$url = preg_replace('/[^a-zA-Z0-9_\.\-&=]/', '', $url);
return $url;
}
}
I have $_GET=filter_url($_GET); everytime before I call
$filter_case =isset($_GET['product_ID'])?"and
product_ID={$_GET['product_ID']}":"";
Do I need to do $mysqli->real_escape_string($_GET['product_ID']) ? If I
still have to imply it, what kind of sql injection will overpass my query
method?