There are 2 rules to follow:
1) Filter input
2) Escape output
Also in the fight against those "evil-doers" I recommend that you NEVER trust user input. i.e. treat all user input as bad.
Begin with escaping all SQL statements...
Most forms of injection can be stopped using this technique.