Even if a value being inserted in a database table is numeric, you should enclose the value in quotes in your insert or set sql statement. It doesn’t matter that the database table column type is some sort of numeric type. You can still enclose the numeric value in quotes in you sql statement.
I agree with guido2004 that you should validate all user inputs server side because javascript is too easy to switch off in a browser by the user and so js validation is easily bypassed.
You have to do all validation server side. Client side validation (JS) is an extra, but you still have to do all validation server side.
To prevent MySQL injection, you can use PDO , or sanitize all user input yourself before using it in a query by passing all string values (values that in your query are put between quotes) through mysql_real_escape_string(), and checking all numeric values by casting them with (int).