$query = "SELECT * FROM Table WHERE field = " . $_POST['field'];
$result = mysql_query($query);
$statement = $db->prepare("SELECT * FROM Table WHERE field = :field");
Don't directly construct your queries with user input. Instead, you should look into using prepared statements (This is typically handled with the PDO library). Prepared statements can take several forms, but they all involve using placeholders in the actual query string to tell the database where to stick other data you'll pass in later. That way the database can handle any appropriate escaping itself. The code would look a bit like this:
Hope that gets you started in the right direction.
In this case, :field indicates the placeholder for the value later supplied by bindValue. PDO will take care of the escaping as needed.
Never just echo user input back to the user. You should do your best to validate your inputs and reject anything that doesn't conform, but for inputs you need to display back to the user, always use something like htmlentities(). For a heavier but much more thorough option, you can take a look at the HTML Purifier library.
PHP has some nice features built in for sanitizing many forms of user input. I'll simply recommend that you check out the filter_var function and the various filters it can apply.
That said, you should still sanitize any user data as needed.
The user can put whatever they want into the 'field' field on the form, and the database will execute it. This means a user could enter a malicious string which prematurely terminates your intended query and then runs a query of their own.
This can occur when you pass user input directly to the database, something like this: