You always need to sanitize ANY input (including arrays and hidden form elements - people can tinker with html before clicking the button).
Basically (I'm no expert on php security) as I understand it the weakness with mysql is the quotation marks. ' and " can be abused. Basically someone can insert say a user id in a login box followed by a quotation mark and then more SQL - in that same text box. Thats called sql injection (so don't go imagining any needles or anything - its nothing that complex just an abuse of the basics). This is why you must sanitize ANY thing that has been transmitted to your site either by _GET or _POST - and I do mean ANYTHING.
mysql_real_escape_string() will usually do the job by adding a back slash in front of any quotation marks (which mysql like php will then understand as ignore the next character) and mysql will execute the statement ignoring any injected sql and treating it as input which will be stored with the rest.
There are also other things to consider - like not giving away which language you're using. You can change the .php extension to another (as long as you can edit apaches httpd.conf to support this or a .htaccess file) which will mask the usage of php. Alternatively just call the directory without the filename - the server will automatically serve any file named index with an extension of .htm, .html, .php etc. So if you want to send someone to accounts.php in the accounts directory... /accounts/ would be the hyperlink and accounds.php could be renamed to index.php. Not the best defence but every little helps.
Captcha is another method.. its breakable using some special techniques combined with OCR but still good enough to stop the average bot abuse.
Generally obfuscate everything - IE make it as hard as possible for other coders, attackers etc to understand or abuse.
Even swap field names for MD5 hashes on forms so that attackers can never be sure of the same field name twice (note that advanced bots will still parse the form and use the random names but it still deters SOME).
I'm not a pro developer I'm still learning myself but its basically a case of making things as difficult as possible for an attacker. I had a few problems with bots repeatedly trying to abuse my website a few months back and they're still trying now but using the above techniques (and some others) I've managed to hold off any further advances in their tactics.
Also if you're creating a shopping cart, NEVER allow the prices to be transmitted in any form on your site. Just use the id for the items row in the database and then take the price directly from your database - otherwise the price could be edited and then the form submitted, transaction processed and you've just lost money.