Assuming $from_page
is a string value and not an array or object, sanitize_key()
should do the trick, it allows only a-z0-9_-
and I believe is used for permalink.
$cookiename = sanitize_key( 'unrestrict_'.$from_page );
setcookie( cookiename, 1 ...
there’s a whole bunch of wordpress sanitizing functions, reference available in the docs.