You can't make a form that is safe from SQL injection. What you must do is check the form values that arrive at the receiving script before using them in a query, to prevent SQL injection.
In general, you should pass user input through the mysql_real_escape_string() function.
But if you know a value should be numeric, you can check directly for that. If a value should be one of a given set, you can check that. If you pass the value through the md5() function (the password for example), then that takes care of any possible SQL injection.
Your first line of defence is always validation. If you validate all your fields and reject any where the content isn't valid input for the field then you reduce your chances of injection to just those fields where the injection code iis also valid input. For those fields there is mysql_real_escape_string() to escape all the necessary characters. it doesn't hurt to build multiple layers of protection just in case someone figures a way to bypass one layer.