http://php.net/manual/en/function.mysql-real-escape-string.php
Basically escape any input you receive from the user. Providing it doesn't break anything for you it is often worth sanitizing the entire $_POST (or $_GET) array.
There are well written functions at the link above that recursively "sanitize" the input making
it safe to use in your code.
Your worries are warranted, but SQL injection is not very difficult to protect against. Usually SQL vulnerabilities exist due to carelessness in my experience.
Often SQL injection in it's basic form is just adding a single qoute or double qoute to the input so as to close your SQL field:
$user = "john"
$query = "SELECT * FROM table WHERE username='$user';"
Sets $query to
"SELECT * FROM table WHERE username='john';
"
Notice, however, that if we set $user = "' OR 1==1 OR username=''"
(Note the single qoutes)
We get:
"SELECT * FROM tab;e WHERE username='' OR 1==1 OR username='';"
This query would always return true, thus a successful attack occurs. If we escape the input the single qoutes are escaped such that they aren't interpeted like above. (Think of it like adding a backslash to escape the single qoutes that come in via the $user variable.) This is a simple example and more complicated SQL statements can do alot more damage, but the method of attack is the same.