I have a record edit link that GETs a 7 character alphanumeric text string which is always ZZZZ111 in structure and is then used in a MySQL query to pull all related data for that record id.
Is mysql_real_escape_string() all I need in terms of sanitizing this $_GET['id'] ? Or are there more steps to take to protect my database?
To make input safe for an SQL query, mysql_real_escape_string() should be sufficient, though I suggest switching to PDO and prepared statements. They tend to be a little nicer to use, and a little more efficient (the statement is only parsed once, and the query can be re-used).
However, you also should make sure your pages are immune to cross-site scripting by (e.g.) filtering HTML from fields based on a whitelist.
mysql_real_escape_string() will escape any malicious characters. In addition, you can use a regex like /^[A-Za-z]{4}\d{3}$/ to make sure that the user indeed entered a valid input.
mysql_real_escape_string() is a good start, and I would agree that using prepared statements would be a pretty good choice. Zend_Db is nice if you want to look into some DB abstraction which can make PDO easier to work with.
I'd also take this as an opportunity to write some sort of RegEx validator for your input. A sample regex that could get you started is:
[A-Z]{4}[0-9]{3}
More info on PHP and regex can be found here: http://www.regular-expressions.info/php.html
If you plan on showing you data to users you would like to remove any HTML tags aswell. Maybe someone inserted a malicious javascript in a guestbook post for example?
this can be done with http://php.net/manual/en/function.htmlentities.php
Or you can use a inputfilter class to allow certain tags etc. I found this one very useful http://www.phpclasses.org/browse/package/2189.html