I didn't notice anyone mention filtering or the database specific escaping functions. I would recommend:
What are your methods for preventing sql injection? For example, say I am adding $value into my database. What is the best way to make sure that if $value contains " ' " it is inserted itno the database, but does not break the query?
I believe it is a best practice to filter all values that your script uses from the request and to escape all data that goes into a database.
// or for string values
$value = preg_replace('/[^a-zA-Z0-9\_\-]/', '', $value);
// or for integer values
$value = intval($value);
// and for mysql for example
$sql = "UPDATE mytable SET myfield='" . mysql_real_escape_string($value) . "' WHERE ...";
// or postgres
$sql = "UPDATE mytable SET myfield='" . pg_escape_string($value) . "' WHERE ...";