Another trick I would suggest is to simply catch any character that is not a forward slash, instead of having to declare the characters manually (0-9a-zA-Z), so:
Oh yes, that is a very good point. Catching all would be better for a "fits all" approach. I just personally like small whitelists over blacklists for paranoid security reasons.