A quite thorough explanation of PHP's input filters (and a good article on sanitization) can be found here:
As mentioned, prepared statements are one of the best ways to prevent SQL injections. i.e., you shouldn't add your parameters as part of the final query string. You should use parameter placeholders, and add the parameters via a key/value array.
If you're using PDO, have a look at this page, which describes prepared statements in greater detail:
You are probably interested in the filter_var and filter_input functions: