Enhance PHP Security When Accessing Ghost(Pro) Installation

I am running on Ghost(Pro) and accessing our blog posts through the API in order to show them on our main website. My only problem is that bad actors are trying to break into the database by submitting API queries directly without going through my page(s). For example, in my PHP program I log rejected requests to a PHP error log, and I see a lot of entries like this:

Error retrieving blog post - http code is 400 query string is slug=mobile-wallet-definition-how-it-works-vs-digital-wallets%27nvOpzp;%20AND%201=1%20OR%20(%3C%27%22%3EiKO)), IP Address is 81.0.246.169

and:

Error retrieving the investing’) AND (SELECT 2817 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT (ELT(2817=2817,1))),0x71716b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (‘fobY’='fobY posts - http code is 400

I can tell that you are code checking the API access to prevent this sort of thing, but I’d rather catch it on my end. Can you give me an example of PHP code that I could use in my program to prevent even the sending of the API request to Ghost(Pro)? For example, if you check for invalid characters in the slug, can you tell me which characters are valid for the slug, and/or which are invalid? Thanks!

Through experimentation, I’ve come up with a reasonable API variable validation that seems to work (PHP code below):

/* redirect to our blog index page if post slug is an invalid length /
if (strlen($_GET[‘slug’]) > 191) {
error_log('Blog post slug contains more than 191 characters. Slug is ’ . $_GET[‘slug’] . '. IP Address is ’ . $_SERVER[‘REMOTE_ADDR’] );
header(“Location: blog-index-tags.php”);
exit();
}
/ redirect to our blog index page if post slug contains invalid characters */
$regex = “/[^a-zA-Z0-9-]/”;
if (preg_match($regex, $_GET[‘slug’])) {
error_log('Blog post slug contains invalid characters. Slug is ’ . $_GET[‘slug’] . '. IP Address is ’ . $_SERVER[‘REMOTE_ADDR’] );
header(“Location: blog-index-tags.php”);
exit();
}