Just a few of the many recent nodes you may find interesting:

• Prevent SQL Injection
• Securing DB transactions with user form input
• Preventing SQL injection attacks: are -T and placeholders not enough?
• Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite
• Preventing MySQL Injection
• Simple question on SQL Injection

Or, to simplify, as jhourcle says:

[J]ust use placeholders.