Plus 1 for Shauns suggestion.

Any interfacing with the database should be done through stored procedures. Not only does this prevent injection attacks, it will also improve develoment because the business logic can be built into the database where it can be shared between different front ends. Search the web for n-tier architecture. Some people prefer a business application layer so that in theory both the front end and database can be swapped out.